Page MenuHomePhabricator
Differential D7329

Disallow <! in <script>
ClosedPublic
Actions

Authored by vrana on Oct 16 2013, 3:49 PM.
Tags
None
Referenced Files
F13280265: D7329.id16504.diff
Sun, Jun 2, 4:08 AM
F13280263: D7329.id16503.diff
Sun, Jun 2, 4:08 AM
F13280262: D7329.id.diff
Sun, Jun 2, 4:08 AM
F13277633: D7329.diff
Fri, May 31, 12:27 PM
F13273041: D7329.diff
Fri, May 31, 1:30 AM
F13249347: D7329.id16504.diff
Fri, May 24, 8:41 AM
F13231462: D7329.diff
Tue, May 21, 12:29 AM
F13210573: D7329.diff
Fri, May 17, 5:00 AM
View All Files
Subscribers
aran
epriestley
Korvin

Details

Reviewers
epriestley
Commits
Restricted Diffusion Commit
rP29391a658e77: Disallow <! in <script>
Summary

HTML5 has this crazy script escaping states:

  • Script data escaped dash dash state
  • Script data double escaped state

https://communities.coverity.com/blogs/security/2012/11/16/did-i-do-that-html-5-js-escapers-3

Perhaps <! is too aggressive but I didn't spend much time searching for a more fine grained expression.

Test Plan

Searched for renderInlineScript().

Diff Detail

Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

epriestley accepted this revision.Oct 16 2013, 3:53 PM

Thanks!

Do you think we should also force json_encode() to escape !? I can't imagine it causing problems, so we could probably wait until it does...

vrana added a comment.Oct 16 2013, 4:22 PM

I think this is fine. It should be dangerous only inside <script> and we replace all < before sending it there.

vrana closed this revision.Oct 16 2013, 4:29 PM

Closed by commit rP29391a658e77 (authored by @vrana).

Revision Contents
Changeset List

PathSize
src/
applications/
differential/
controller/
1 line
view/
2 lines
infrastructure/
celerity/
3 lines

Diff 16504

View Options

src/applications/differential/controller/DifferentialRevisionViewController.php

Loading...
View Options

src/applications/differential/view/DifferentialRevisionUpdateHistoryView.php

Loading...
View Options

src/infrastructure/celerity/CelerityStaticResourceResponse.php

Loading...
Phabricator · Built by Phacility