Grave accent obfuscation XSS Attack can't be escaped in iframes

Question

I have my function here to clean strings called

function clean($str) {  
$str = htmlspecialchars(strip_tags(trim(mb_convert_encoding($str, 'UTF-8', 'UTF-8'))), ENT_QUOTES, 'UTF-8');
return $str;
}

Right now, I checked the possible XSS attacks, And this one worked ok on <img src"$str"> but when i swapped the the element to <iframe src"$str"> the JS was executed using the following

$attr = clean("javascript:alert(\"RSnake says, 'XSS'\")");
$str = "<iframe src=\"$attr\">";

But for $str = "<img src=\"$attr\">"; it was safe.

How to handle this vulnerability?

What i did was adding extra part for the function which was like this

function clean($str) {  
$str = htmlspecialchars(strip_tags(trim(mb_convert_encoding($str, 'UTF-8', 'UTF-8'))), ENT_QUOTES, 'UTF-8');
$str = htmlentities($str, ENT_QUOTES);
return $str;
}

mega6382 · Accepted Answer · 2017-09-28T13:23:19.470

-1

Try the following:

<?php

function clean($url) {
    if (!filter_var($url, FILTER_VALIDATE_URL))
        return false;
    return $url;
}
$attr = clean("javascript:alert(\"RSnake says, 'XSS'\")");
$str = "<iframe src=\"$attr\">";
// $str = "<img src=\"$attr\">";

echo($str);

It will sanitize the string based on it being a URL and if it is not, it will output false

edited Sep 28 '17 at 13:23

answered Sep 28 '17 at 12:57

mega6382

9,211
17
48
69

1

Yes, That what i did trying to solve it, But i remember someone said using both htmlent + htmlspec would make problem in some kind of converting like it would convert `&quot` to `&quotequot` or something – AXAI Sep 28 '17 at 12:58
@AXAI If you only want to display the string, then it will be no problem but if you want to restore the string to default form, it might cause some problem. Otherwise it is fine. – mega6382 Sep 28 '17 at 13:00
1

The HTML parser will convert the entities back into regular characters before passing them to the URL parser, so that won't help at all. – Quentin Sep 28 '17 at 13:02
`htmlentities(htmlspecialchars())` — Double encoding won't help. It will just break the data. – Quentin Sep 28 '17 at 13:04
1

@Quentin by `break the data` does that mean that this will break any string that isn't clean? like if the `src=""` i want the moderator to put only valid urls like `www.domain.com/something.php?sa=&pa=` and anything that is suspected to be burried, Or would it break the entire element formation? – AXAI Sep 28 '17 at 13:09
@AXAI — It means it will break perfectly valid and clean data (e.g. any URL with an ampersand in it). The `&` gets turned to `&` which gets turned to `&` and then the HTML parser turns it back to `&` and your URL has extra `amp;` in it that will not be recognised by the server. – Quentin Sep 28 '17 at 13:10
@AXAI If you want to `clean` url string than I have updated my answer check the new solution. – mega6382 Sep 28 '17 at 13:13
Re edit: What an enormous pile of irrelevant rubbish. `filter_var($url, FILTER_VALIDATE_URL)` makes sense, everything else is either going to have no effect or break things. – Quentin Sep 28 '17 at 13:15
@Quentin Re-edited Only `FILTER_VALIDATE_URL` now. Seems to be working fine. – mega6382 Sep 28 '17 at 13:23

Grave accent obfuscation XSS Attack can't be escaped in iframes

1 Answers1