8

Following up on my last question...

This code can be exploited if an attacker has access to encodedText:

return $('<div/>').html(encodedText).text();

e.g. $("<div/>").html('<img src="X" onerror="alert(\'hi\');" />').text() displays an alert.

This answer recommends using a textarea instead to avoid XSS vulnerability:

return $('<textarea/>').html(encodedText).text();

This was able to handle the previous exploit safely.

However, this answer indicates that there are still XSS vulnerabilities when using textarea:

I suggest using a safer, more optimized function

don't use jQuery.html().text() to decode html entities as it's unsafe because user input should never have access to the DOM

My question is: Is there a way in any browser to exploit $('<textarea/>').html(encodedText); to run XSS assuming attacker has access to encodedText?

Improve this question
3
  • 2
    $('<textarea/>').html('<script>alert()</script>').text(); would still run the script. I don't see any benefit from using <textarea>. Commented Jul 8, 2015 at 6:22
  • oh crap you're absolutely right, textarea handles the exploit I posted but not your even simpler one! Commented Jul 8, 2015 at 6:30
  • 1
    That's because the browser (or at least Chrome) wouldn't fire the onerror event when the <img> element is part of a <textarea>. But if the attacker has access to encodedText then simple script injection would run nonetheless. You need to ask yourself why is encodedText controlled by the end-user? Is it something that stored in a database (sanitize it upon saving then), is it injected through some request parameter (don't do it, or at least try to manipulate it before parsing / attaching it to the DOM in any way). Commented Jul 8, 2015 at 6:33

2 Answers 2

Reset to default
0

I wouldn't risk is to be honest, it would be a lot safer if you handled anything that needed to be encrypted or unencrypted server-side.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

the purpose of this method is to convert a string like me &amp; you to me & you. so I could do that server side but I then write it to the page. writing unencoded html special characters to the page would be another XSS attack. e.g the user could write <script>alert('lol')</script>. so if I want to write the data to the page and then display it, I'll have to encode it on the server, then unencode it on the client.
0

a comment by @haim770 gave me:

$('<textarea/>').html('<script>alert()</script>').text();

It seems like $('<textarea/>').html() doesn't help at all with safely parsing user input.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.