PDA

View Full Version : [CLOSED] XSS encoding



jchau
Jan 16, 2015, 10:03 PM
When I set the title for a panel to be
<script>alert('hi');</script> the title doesn't show up but I dont get an alert either. This makes me think Ext.NET or ExtJS is doing some encoding for XSS. Is that correct? And is that something added recently?

Daniil
Jan 17, 2015, 10:21 AM
Hi @jchau,

A Title is being applied to a title span's innerHTML as a string. I think it is something similar comparable to this:

var div = document.createElement("div");

div.innerHTML = "<script>alert('hi');</script>";
document.body.appendChild(div);

There is no an alert box in this raw HTML code as well. Also the content is not visible.

As for XSS encoding in Ext.NET. We don't think there is any specific functionality like that built in Ext.NET.

Also a raw ExtJS sample behaves in the same way.

new Ext.Panel({
renderTo: Ext.getBody(),
title: "<script>alert('test')</script>"
});

Vladimir
Jan 17, 2015, 10:53 AM
Script in script tags in dynamic html will not be executed automatically. It is desired browser behaviour
http://stackoverflow.com/questions/13390588/script-tag-create-with-innerhtml-of-a-div-doesnt-work

jchau
Jan 19, 2015, 3:04 PM
Thank you! We had a security firm do XSS testing on our application almost 6 months ago back when we were still on Ext.NET 2.2. They found a few issues, but I am no longer able to reproduce once we upgraded to Ext.NET 2.5. So I assumed you guys did some changes for XSS.

Daniil
Jan 19, 2015, 3:20 PM
Maybe, we did something, but didn't realize it is against XSS:)