Exploiting jQuery HTML decoding using textarea

Question

This code can be exploited if an attacker has access to encodedText:

return $('<div/>').html(encodedText).text();

e.g. $("<div/>").html('<img src="X" onerror="alert(\'hi\');" />').text() displays an alert.

This answer recommends using a textarea instead to avoid XSS vulnerability:

return $('<textarea/>').html(encodedText).text();

This was able to handle the previous exploit safely.

However, this answer indicates that there are still XSS vulnerabilities when using textarea:

I suggest using a safer, more optimized function

don't use jQuery.html().text() to decode html entities as it's unsafe because user input should never have access to the DOM

My question is: Is there a way in any browser to exploit $('<textarea/>').html(encodedText); to run XSS assuming attacker has access to encodedText?

`$('').html('').text();` would still run the script. I don't see any benefit from using ``. — haim770, Jul 08 '15 at 06:22
oh crap you're absolutely right, `textarea` handles the exploit I posted but not your even simpler one! — actual_kangaroo, Jul 08 '15 at 06:30
That's because the browser (or at least Chrome) wouldn't fire the `onerror` event when the `` element is part of a ``. But if the attacker has access to `encodedText` then simple script injection would run nonetheless. You need to ask yourself why is `encodedText` controlled by the end-user? Is it something that stored in a database (sanitize it upon saving then), is it injected through some request parameter (don't do it, or at least try to manipulate it before parsing / attaching it to the DOM in any way). — haim770, Jul 08 '15 at 06:33

score 0 · Answer 1 · answered Jul 16 '15 at 14:48

0

I wouldn't risk is to be honest, it would be a lot safer if you handled anything that needed to be encrypted or unencrypted server-side.

answered Jul 16 '15 at 14:48

Daniel Dewhurst

2,533
2
21
39

the purpose of this method is to convert a string like `me & you` to `me & you`. so I could do that server side but I then write it to the page. writing unencoded html special characters to the page would be another XSS attack. e.g the user could write ``. so if I want to write the data to the page and then display it, I'll have to encode it on the server, then unencode it on the client. – actual_kangaroo Jul 17 '15 at 00:19

score 0 · Accepted Answer · answered May 30 '22 at 06:54

0

a comment by @haim770 gave me:

$('<textarea/>').html('<script>alert()</script>').text();

It seems like $('<textarea/>').html() doesn't help at all with safely parsing user input.

answered May 30 '22 at 06:54

actual_kangaroo

5,971
2
31
45

Exploiting jQuery HTML decoding using textarea

2 Answers2