New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
encodeForCSS breaks color values #304
Comments
My first knee-jerk is "who is using scriptlets in 2017?" and then "who is doing server-side dynamic css?" I would like a lot more info about this before I treat it as a bug. As it stands, if its an application that's taking HTML and CSS from the user, then this should have been previously run through an HTML sanitizer and then would be considered good data. If its color only, I would encode for HTML attribute in this case. I believe this isn't bug, but user naivete. |
@xeno6696 I'm not really sure this should be closed as I have recently seen code that has done stuff like this. Admittedly, it's not common, but AFAIK, it's legit as far as W3C specs are concerned. The question is, is this still a problem in ESAPI 2.x? I ask because this was reported against ESAPI 1.4.4 and lot's have changed since then. Maybe we should at least add a test case for it. I've added a "help wanted" tag if you don't want to address it, but I am re-opening it. |
Changing priority to Low because there are workarounds available, such as using a color name or via rgb() triples. So this shouldn't be a show stopper. If you are going back to add in ESAPI to this, then you can also rewrite you <style> tags or CSS to work around the issue. |
I'm running into this same issue on ESAPI 2.1.0.1. I guess my question would be is there some kind of best practice for using the encodeForCSS() method? Also, I was poking through the source and noticed in DefaultEncoder.java "immune" characters are tracked for the different codecs. Currently, none are supplied for CSS. Would adding '#' make sense? I am not well versed in the security implications of not encoding that character so I thought I would throw that out there. |
How about enhancing encoder to skip for color code in hexadecimal? We can scan for # followed by 3 or 6 HEX and skip the coding for it. According to CSS spec https://www.w3.org/TR/CSS21/syndata.html#color-units |
Could you just make # immune?
…--Jeff
From: jackycct <notifications@github.com>
Reply-To: ESAPI/esapi-java-legacy <reply@reply.github.com>
Date: Tuesday, October 2, 2018 at 12:54 PM
To: ESAPI/esapi-java-legacy <esapi-java-legacy@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Subject: Re: [ESAPI/esapi-java-legacy] encodeForCSS breaks color values (#304)
How about enhancing encoder to skip for color code in hexadecimal?
We can scan for # followed by 3 or 6 HEX and skip the coding for it.
According to CSS spec https://www.w3.org/TR/CSS21/syndata.html#color-units
The format of an RGB value in hexadecimal notation is a '#' immediately followed by either three or six hexadecimal characters.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub<#304 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AClCzFyjUcvb6Lt6i67llDoOO330Sk_xks5ug5omgaJpZM4C6zDz>.
|
I will work but it will then be less strict. |
In an HTML context sure, but I don't think that would break anything in the CSS side. The immunity that @planetlevel is referring to is unique to each specific codec in play--it's not global such that allowing In checking out the grammar, I noted that the only other case where we're using the To be more confident, I'd want to study more CSS style attacks if they surround the |
Have been spending some time to research and it seems Should we confirm to use immutable character? |
What unit tests did you write to come to this conclusion? I’m selfishly asking because we should add them to our test suite. |
Anyone look in the BeEF XSS Framework at https://beefproject.com/ ??? It
might have some good examples of XSS exploits related to colors in CSS.
…-kevin
--
Blog: http://off-the-wall-security.blogspot.com/ | Twitter: @KevinWWall
NSA: All your crypto bit are belong to us.
On Wed, Oct 10, 2018, 02:00 Matt Seil ***@***.***> wrote:
What unit tests did you write to come to this conclusion? I’m selfishly
asking because we should add them to our test suite.
—
You are receiving this because you modified the open/close state.
Reply to this email directly, view it on GitHub
<#304 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AB3nmyG1SDVc-RTQ67bXCQluEG0CxhQtks5ujYzxgaJpZM4C6zDz>
.
|
I can think about some normal test cases but not CSS style attacks tho. |
@kwwall BeEF is really more of a post-exploitation toolkit. By the time you have the hook in your session there's nothing in the DOM that can't be rewritten. |
These values are still not supported... rgb(255,0,0) and rgb(100%,0%,10%) |
Propose not to support rgb as it will require immune 2 more characters and hex can be a easy workaround. |
With 74a38b0 having been merged into develop what work is left to be done on this issue? |
@jeremiahjstacey PR #453 did address this in part, but adding the '#' to the char array for IMMUNE_CSS, but based on @jackycct commens about it not supporting rgb triplets like rgb(255,0,0), rgb(100%,0%,10%) I wasn't sure if we wanted to consider this closed or not so it was left open. P.S.- We'd want the CI run against our 'develop' branch. |
Can't believe I missed responding here. I think this is closed for now and we worry about the triplets later. |
From sendtom...@gmail.com on April 20, 2013 11:33:38
What steps will reproduce the problem? 1. String color = "#FF00FF";
2. <style> h1{ background-color: <%=Encoder.encodeForCSS(color)%> } </style> What is the expected output? What do you see instead? <style> h1{ background-color: #FF00FF } </style> What version of the product are you using? On what operating system? ESAPI-1.4.4 Does this issue affect only a specified browser or set of browsers? All browsers. Please provide any additional information below. encodeForCSS is will change # to \23. So user input color is not set to my h1 tag.
Original issue: http://code.google.com/p/owasp-esapi-java/issues/detail?id=298
The text was updated successfully, but these errors were encountered: