W3C home > Mailing lists > Public > whatwg@whatwg.org > August 2010

[whatwg] base64 entities

From: Kornel Lesiński <kornel@geekhood.net>
Date: Thu, 26 Aug 2010 09:00:59 +0100
Message-ID: <0E33533C-47C6-4476-92C2-A5CFD0A1BD1F@geekhood.net>
On 25.08.2010, at 23:46, Aryeh Gregor wrote:

>> These cases can be secured without any new features in browsers (by escaping whitespace using numeric entities):
>> 
>> function htmlescape($str) {
>>        return preg_replace('/[\s<>"\'&]/e','"&".ord("$0").";"',$str);
>> }
> 
> That doesn't work in <script> for text/html, does it?

Ah, indeed.

Another tricky case came to my mind, which entities cannot secure (unless special magic is defined for the new entity):

onclick="show('&base64;')"

> These are reasonable points.  How many vulnerabilities would it
> actually prevent in practice if htmlspecialchars() were replaced with
> this everywhere?  XSS is usually when you don't escape things at all,
> not when you escape them in a slightly wrong way.  Easy escaping in
> <script> and <style> would be nice, though (or is there already some
> way to do that?).


In PHP json_encode() works great for outputting data in JS (and can be configured to JS-escape HTML-unsafe chars too), but I feel like I'm the only person who knows about it :)

-- 
regards, Kornel Lesi?ski
Received on Thursday, 26 August 2010 01:00:59 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:09:00 UTC