ansaurus

Question

What is the correct way to encode an inline javascript object, in order to protect it from XSS?

Answer 1

+2 A:

In literal strings, put a backslash (\) before all “unsafe” characters, including the forward slash which occurs in “</script>” (/ → \/).

This would change your example to:

json = {test: "<\/script><script>alert(\"hello\");<\/script>"};

and it would still be valid JSON.

Of course you also have to escape the double-quote (" → \") and the backslash itself (\ → \\), but you would already have to do that anyway. You should also consider escaping the single-quote (' → \') to be on the safe side.

Timwi 2010-08-16 00:29:17

so a simple replace("/", "\/") should do ? any other edge cases ?

Sam Saffron 2010-08-16 00:31:19

@Sam Saffron: Yes, take care of double-quotes, single-quotes, and backslashes. See my edited answer.

Timwi 2010-08-16 00:44:09

@Tim cool, yerp I already had those encoded, expanding my question with a slightly hairier sample.

Sam Saffron 2010-08-16 00:53:44

There is nothing unsafe with the forward slash. The reason that this works is that it prevents the character combination `</`, which ends the script tag.

Guffa 2010-08-16 00:55:04

@Guffa: I know. There is nothing unsafe with the forward slash *itself*, but there *is* something unsafe with the character sequence `</script>`, so escaping the slash makes it safe.

Timwi 2010-08-16 11:29:46

Answer 2

+1 A:

I found this list of characters to be escaped for JSON strings:

\b  Backspace (ascii code 08)
\f  Form feed (ascii code 0C)
\n  New line
\r  Carriage return
\t  Tab
\v  Vertical tab
\'  Apostrophe or single quote
\"  Double quote
\\  Backslash character

Using PHP? If so: json_encode

 echo json_encode("<\/script><script>alert(\"hello\");<\/script>");

Output:

 "<\\\/script><script>alert(\"hello\");<\\\/script>"

Another example:

 echo json_encode("</script><script>alert(\"hello\");</script>");

Output:

 "<\/script><script>alert(\"hello\");<\/script>"

Michael Robinson 2010-08-16 00:32:56

Does that escape the forward slash? The help page doesn’t say. (In fact, it doesn’t say what *any* of the options mean.)

Timwi 2010-08-16 00:34:42

Added example, looks like it does escape the forward slash :)

Michael Robinson 2010-08-16 00:35:24

@Michael, can you expand on the algorithm I should use? I am not using PHP

Sam Saffron 2010-08-16 00:42:48

Sorry about the confusion, Michael — I kept editing and deleting my comment. I should have paid more attention. But this is all irrelevant now that Sam has elucidated that he is not using PHP.

Timwi 2010-08-16 00:47:25

Answer 3

+2 A:

To start with, this is not JSON at all, it's a Javascript object. JSON is a text format that is based on the Javascript syntax.

You can either make sure that the code doesn't contain the </ character combination:

var obj = { test: "<"+"/script><script>alert(\"hello\");<"+"/script>" };

Or if you are using XHTML you can make sure that the content in the script tag is interpreted as plain data:

<script type="text/javascript">
//<![CDATA[
var obj = { test: "</script><script>alert(\"hello\");</script>" };
//]]>
</script>

Guffa 2010-08-16 00:52:05

@Guffa, corrected the phrasing in the question, feel free to step in and further correct it. The "</" -> "<" + "/" feels a little iffy performance wise, the CDATA solution is really elegant

Sam Saffron 2010-08-16 00:59:38

Actually thinking about it, a server side fix of `gsub("</","<\/")` should do the trick, no?

Sam Saffron 2010-08-16 01:07:28

@Sam Saffron: Yes, using a backslash also works for preventing the `</` character combination. You can use a backslash before any character, even if the character has no special meaning that requires it to be escaped.

Guffa 2010-08-16 01:17:25

All fair points in this answer, but @Sam Saffron, beware of the CDATA solution: it really *only* works if you’re *actually* using XHTML, which is very unlikely. Specifying an XHTML doctype is not enough. Read [Sending XHTML as text/html Considered Harmful](http://hixie.ch/advocacy/xhtml).

Timwi 2010-08-16 11:33:31

@Guffa: If you’re already relying on actual XHTML being used, what’s the point in those extra “`//`”s before “`<![CDATA[`” and “`]]>`”? ☺

Timwi 2010-08-16 11:35:11

Answer 4

A:

sri 2010-08-17 09:28:45

Answer 5

+2 A:

One issue you might be running into is the fact that the HTML and javascript interpreters on the browser run interleaved.

<html> 
<body>
<script>
 json = {test: "</script><script>alert('hello');</script>"};
</script>
</body>
</html>

In your example, the HTML interpreter will give json = {test: " to the js interpreter and then it will find the next javascript block (delimited by <script> and </script> tags) and give alert('hello'); to the js interpreter. It doesn't matter that the </script> tag is in a javascript string, because the HTML interpreter is the one looking for js code blocks and doesn't understand js strings.

The first section will cause a js syntax error, while the second section will create the alert. I realize this doesn't answer your question of what to do, but perhaps it will shed more light on what is going on under the hood.

Ben Broussard 2010-08-25 00:29:09

ansaurus

tags:

views:

answers:

What is the correct way to encode an inline javascript object, in order to protect it from XSS?

related questions