PDA

View Full Version : [UNKNOWN][3.x] Ext.util.Format.stripScripts() does not work as it should



Tom23
12 Dec 2009, 12:57 PM
Ext.util.Format.stripScripts() can easily be tricked. This might cause some security problems (e.g., in Feed Viewer (http://www.extjs.com/deploy/dev/examples/feed-viewer/view.html))


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML>
<HEAD><TITLE>Test</TITLE></HEAD>
<BODY>
<SCRIPT type="text/javascript" >
alert('XSS!');
</script >
</BODY>
</HTML>


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML>
<HEAD><TITLE>Test</TITLE></HEAD>
<BODY>
<SCRIPT type="text/javascript" >
alert('XSS!');
</>
</BODY>
</HTML>


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML>
<HEAD><TITLE>Test</TITLE></HEAD>
<BODY>
<SCRIPT type="text/javascript"/
alert('XSS!');
/
</BODY>
</HTML>

All of the above are perfectly valid HTML strict. Fortunately, browsers will not execute the script in example 3, because they don't know how to parse that quirky source.

They rather go with

The first occurrence of the character sequence "</" (end-tag open delimiter) is treated as terminating the end of the element's content.

http://www.w3.org/TR/html4/types.html


So stripTagsRE in Ext.util.Format should be

/(?:<script.*?>)((\n|\r|.)*?)(?:<\/([^<>]*>)?)/ig