1

I'm using highslide library in my website, and some times not all the time, the code I used is printed on the screen, but I don't know why, this is my code:

    <script type="text/javascript">

hs3.graphicsDir = '<?echo $RootPath;?>/ExternalLibrary/highslide/graphics/';
hs3.align = 'center';
hs3.transitions = ['expand', 'crossfade'];
hs3.fadeInOut = true;
hs3.outlineType = 'glossy-dark';
hs3.wrapperClassName = 'dark';
hs3.captionEval = 'this.a.title';
hs3.numberPosition = 'caption';
hs3.useBox = true;
hs3.width = 600;
hs3.height = 400;

hs3.addSlideshow({
    //slideshowGroup: 'group1',
    interval: 5000,
    repeat: false,
    useControls: true,
    fixedControls: 'fit',
    overlayOptions: {
        position: 'bottom center',
        opacity: 0.75,
        hideOnMouseOut: true
    },
    thumbstrip: {
        position: 'above',
        mode: 'horizontal',
        relativeTo: 'expander'
    }
});

var miniGalleryOptions1 = {
    thumbnailId: 'thumb1'
}
</script>

Where $RootPath is php variable, and its value is Portal. the code printed on the screen is the code after $RootPath variable, any idea?

Omar Taha
  • 11
  • 1

1 Answers1

0

$RootPath contains some injection and is not the value "Portal" - what!?!? Bear with me.

It contains "</script>" or similar; view the actual rendered HTML if you're a Doubting Taha. This in turn causes the browser to close the script element which results in the following being processed as normal not-in-script HTML. (A browser can technically terminate the script element's PCDATA if it encounters the sequence "</", although to my knowledge modern browsers require it to be at least "</script ".)

To fix/prevent this, always use json_encode for values from PHP used in/as JavaScript. This should be automatic, just as using htmlentities should be automatic when writing not-guaranteed-to-be-safe-HTML text into an HTML context.

Here is how to correctly write the code (although I recommend using the <?= ?> tags):

hs3.graphicsDir = <?echo json_encode("$RootPath/ExternalLibrary/highslide/graphics/"); ?>;

After this change the injection will result in a bad/invalid graphicsDir value but it will not "break" the HTML itself. (Again, view the actual HTML to see what value $RootPath was really.)

Using json_encode also makes it possible to tidy up the PHP/JavaScript interface; in the above it allowed the surrounding JavaScript quotes to be omitted as those are part of the resulting JSON String value. If many values need to be passed, consider construction of an array and supply the JSON-encoded result using the same technique.

user2864740
  • 60,010
  • 15
  • 145
  • 220
  • Ok, That's true my friend, there is a close after the php variable, but why?? I didn't understand why this happens, and why $RootPath contains or similar views? Could yo please explain that please. – Omar Taha Sep 14 '14 at 07:25
  • @OmarTaha I don't know *where* the value comes from; that is for you to track down :) It might be an accidental assignment .. *or* someone might have tried to slip in a malicious value. Track it back in the code to where/why it was assigned the problematic value. – user2864740 Sep 14 '14 at 07:26
  • well, I tried to use your code, but the same, it still appears. – Omar Taha Sep 14 '14 at 07:34
  • Unpossible (well, it might be possible but before I entertain this idea I wish to see the *actual* HTML generated) - post the *actual* HTML of the relevant `hs3.graphicsDir = ..` line. – user2864740 Sep 14 '14 at 07:35
  • ; hs3.align = 'center'; hs3.transitions = ['expand', 'crossfade']; hs3.fadeInOut = true; hs3.outlineType = 'glossy-dark'; hs3.wrapperClassName = 'dark'; hs3.captionEval = 'this.a.title'; hs3.numberPosition = 'caption'; hs3.useBox = true; hs3.width = 600; hs3.height = 400; //hs.dimmingOpacity = 0.8; this exactly what is in html – Omar Taha Sep 14 '14 at 07:44
  • @OmarTaha And this is *after* using the json_encode as shown above? The '/` value *should* be escaped as [seen here](http://ideone.com/ojOscm) and the browser will not end the script element if it sees `<\/script` – user2864740 Sep 14 '14 at 07:47
  • yes, this is after using json_encode, I'm confused about it, note, this happens just in chrome browser. – Omar Taha Sep 14 '14 at 07:54
  • Can you post the problematic HTML somewhere? Or better, create an example on [ideone](http://ideone.com/) *showing* the problematic PHP? *I am skeptical that json_encode is being used because the `/` was **not** escaped in the shown string*, making me believe that it was still a result of running *old* non-json_encode code (and this has been the behavior of json_encode since at least 2009, if not before). It is also unlikely that there would be a difference here between IE/Chrome/FF in the [end]tag handling. – user2864740 Sep 14 '14 at 07:55
  • the script document.location, is the script before my script, and not the script which I used json_encode in, the line which contains hs3.graphicDir dos not appear at all, neither the start of the script tag. – Omar Taha Sep 14 '14 at 08:00
  • Oh. I see. Well, *fix that script too*, for the same reasons as stated above only with a slightly different cause. And I don't see the "h3.graphicsDir = .." line anywhere - *where* is it and *why* why is it missing? Also, make sure to *post the actual HTML into the main question where it can be formatted correctly*. – user2864740 Sep 14 '14 at 08:03