|
DocTypesCanInjectUnsanitizedContent
HTML suffers from XXE which can inject scripts
Reported by Gareth DOCTYPES allow injection of unsanitized markupEffectUnsanitized markup and unsanitized script execution BackgroundXML allows definition of entities via <!ENTITY ...> declarations inside a <!DOCTYPE ...> block. DOCTYPEs commonly appear in HTML pages since they provide the browser with hints about content-type, character encoding, and whether or not to render in quirks or standards-compliance mode. Other problems with entity definitions are described at XsrfViaXxe. AssumptionsUntrusted parties can specify entity declarations to include in the DOCTYPE of an HTML or XHTML file and they can generate markup using those entities. orUser defined entities exist and they can be spliced together to construct unsafe markup. VersionsFirefox and possibly others. Example<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"
[
<!ENTITY inject "<script>alert(1)</script>">
]>
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title/></head>
<body>
&inject;
</body>
</html>
|
Sign in to add a comment