AnimeGirl_vbulletin3_import13194
New Member
The question did arise from this one:
Why does the browser modify the ID of an HTML element that contains &#x?Given the following web page:\[code\]<html> <head> <script type="text/javascript"> // -------------------------------------------------------- // could calling this method produce an XSS attack? // -------------------------------------------------------- function decodeEntity(text){ text = text.replace(/<(.*?)>/g,''); // strip out all HTML tags, to prevent possible XSS var div = document.createElement('div'); div.innerHTML = text; return div.textContent?div.textContent:div.innerText; } function echoValue(){ var e = document.getElementById(decodeEntity("/path/$whatever")); if(e) { alert(e.innerHTML); } else { alert("not found\n"); } } </script> </head> <body> <p id="/path/$whatever">The Value</p> <button onclick="echoValue()">Tell me</button> </body></html>\[/code\]The \[code\]id\[/code\] of the \[code\]<p>\[/code\] element contains characters that were escaped in order to prevent XSS attacks. The HTML part and JS part are generated by the server and the server inserts the same escaped value (which could origin from an unsecure source) on both parts. The server escapes the following character ranges in the \[code\]&#x\[/code\] format:
Why does the browser modify the ID of an HTML element that contains &#x?Given the following web page:\[code\]<html> <head> <script type="text/javascript"> // -------------------------------------------------------- // could calling this method produce an XSS attack? // -------------------------------------------------------- function decodeEntity(text){ text = text.replace(/<(.*?)>/g,''); // strip out all HTML tags, to prevent possible XSS var div = document.createElement('div'); div.innerHTML = text; return div.textContent?div.textContent:div.innerText; } function echoValue(){ var e = document.getElementById(decodeEntity("/path/$whatever")); if(e) { alert(e.innerHTML); } else { alert("not found\n"); } } </script> </head> <body> <p id="/path/$whatever">The Value</p> <button onclick="echoValue()">Tell me</button> </body></html>\[/code\]The \[code\]id\[/code\] of the \[code\]<p>\[/code\] element contains characters that were escaped in order to prevent XSS attacks. The HTML part and JS part are generated by the server and the server inserts the same escaped value (which could origin from an unsecure source) on both parts. The server escapes the following character ranges in the \[code\]&#x\[/code\] format:
- 0x00 – 0x2D
- 0x3A – 0x40
- 0x5B – 0x5E
- 0x60
- 0x7B – 0xFF
- 0x0100 – 0xFFFF
- 0x2E – 0x39 (\[code\].\[/code\], \[code\]/\[/code\], \[code\]0123456789\[/code\])
- 0x41 – 0x5A (\[code\]A\[/code\] – \[code\]Z\[/code\])
- 0x5F (\[code\]_\[/code\])
- 0x61 – 0x7A (\[code\]a\[/code\] – \[code\]z\[/code\])