My searches have been fruitless. I am coding a page that will have an anchor link to send query results to a second page to produced a tabulated csv file download.
The main page runs the query. I serialized the results as JSON and encoded them:
%5B%7B%22SELECT%5FREASON%22%3A%2201%22%2C%22IMPOSED%5FACTION%22%3Anull%2C%22DISP%5FTYPE%5FTEXT%22%3Anull%2C%22COUNT%22%3A496%2C%22DATE%22%3A20220712%7D%2C%7B%22SELECT%5FREASON%22%3A%2202%22%2C%22IMPOSED%5FACTION%22%3Anull%2C%22DISP%5FTYPE%5FTEXT%22%3Anull%2C%22COUNT%22%3A412%2C%22DATE%22%3A20220712%7D%2C%7B%22SELECT%5FREASON%22%3A%2205%22%2C%22IMPOSED%5FACTION%22%3Anull%2C%22DISP%5FTYPE%5FTEXT%22%3Anull%2C%22COUNT%22%3A332%2C%22DATE%22%3A20220712%7D%2C%7B%22SELECT%5FREASON%22%3A%2206%22%2C%22IMPOSED%5FACTION%22%3Anull%2C%22DISP%5FTYPE%5FTEXT%22%3Anull%2C%22COUNT%22%3A60%2C%22DATE%22%3A20220712%7D%2C%7B%22SELECT%5FREASON%22%3A%2207%22%2C%22IMPOSED%5FACTION%22%3Anull%2C%22DISP%5FTYPE%5FTEXT%22%3Anull%2C%22COUNT%22%3A258%2C%22DATE%22%3A20220712%7D%2C%7B%22SELECT%5FREASON%22%3A%2209%22%2C%22IMPOSED%5FACTION%22%3Anull%2C%22DISP%5FTYPE%5FTEXT%22%3Anull%2C%22COUNT%22%3A300%2C%22DATE%22%3A20220712%7D%2C%7B%22SELECT%5FREASON%22%3A%2212%22%2C%22IMPOSED%5FACTION%22%3Anull%2C%22DISP%5FTYPE%5FTEXT%22%3Anull%2C%22COUNT%22%3A242%2C%22DATE%22%3A20220712%7D%2C%7B%22SELECT%5FREASON%22%3A%2213%22%2C%22IMPOSED%5FACTION%22%3Anull%2C%22DISP%5FTYPE%5FTEXT%22%3Anull%2C%22COUNT%22%3A282%2C%22DATE%22%3A20220712%7D%2C%7B%22SELECT%5FREASON%22%3A%2214%22%2C%22IMPOSED%5FACTION%22%3Anull%2C%22DISP%5FTYPE%5FTEXT%22%3Anull%2C%22COUNT%22%3A2%2C%22DATE%22%3A20220712%7D%2C%7B%22SELECT%5FREASON%22%3A%2215%22%2C%22IMPOSED%5FACTION%22%3Anull%2C%22DISP%5FTYPE%5FTEXT%22%3Anull%2C%22COUNT%22%3A180%2C%22DATE%22%3A20220712%7D%2C%7B%22SELECT%5FREASON%22%3A%2216%22%2C%22IMPOSED%5FACTION%22%3Anull%2C%22DISP%5FTYPE%5FTEXT%22%3Anull%2C%22COUNT%22%3A30%2C%22DATE%22%3A20220712%7D%2C%7B%22SELECT%5FREASON%22%3A%2217%22%2C%22IMPOSED%5FACTION%22%3Anull%2C%22DISP%5FTYPE%5FTEXT%22%3Anull%2C%22COUNT%22%3A6%2C%22DATE%22%3A20220712%7D%5D
The source on the page reflects this, but when I hover over the link (or go ahead and send it) all of the unencoded (plain text) portions are now quoted.
%27%5B%7B"SELECT_REASON"%3A"01"%2C"IMPOSED_ACTION"%3Anull%2C"DISP_TYPE_TEXT"%3Anull%2C"COUNT"%3A496%2C"DATE"%3A20220712%7D%2C%7B"SELECT_REASON"%3A"02"%2C"IMPOSED_ACTION"%3Anull%2C"DISP_TYPE_TEXT"%3Anull%2C"COUNT"%3A412%2C"DATE"%3A20220712%7D%2C%7B"SELECT_REASON"%3A"05"%2C"IMPOSED_ACTION"%3Anull%2C"DISP_TYPE_TEXT"%3Anull%2C"COUNT"%3A332%2C"DATE"%3A20220712%7D%2C%7B"SELECT_REASON"%3A"06"%2C"IMPOSED_ACTION"%3Anull%2C"DISP_TYPE_TEXT"%3Anull%2C"COUNT"%3A60%2C"DATE"%3A20220712%7D%2C%7B"SELECT_REASON"%3A"07"%2C"IMPOSED_ACTION"%3Anull%2C"DISP_TYPE_TEXT"%3Anull%2C"COUNT"%3A258%2C"DATE"%3A20220712%7D%2C%7B"SELECT_REASON"%3A"09"%2C"IMPOSED_ACTION"%3Anull%2C"DISP_TYPE_TEXT"%3Anull%2C"COUNT"%3A300%2C"DATE"%3A20220712%7D%2C%7B"SELECT_REASON"%3A"12"%2C"IMPOSED_ACTION"%3Anull%2C"DISP_TYPE_TEXT"%3Anull%2C"COUNT"%3A242%2C"DATE"%3A20220712%7D%2C%7B"SELECT_REASON"%3A"13"%2C"IMPOSED_ACTION"%3Anull%2C"DISP_TYPE_TEXT"%3Anull%2C"COUNT"%3A282%2C"DATE"%3A20220712%7D%2C%7B"SELECT_REASON"%3A"14"%2C"IMPOSED_ACTION"%3Anull%2C"DISP_TYPE_TEXT"%3Anull%2C"COUNT"%3A2%2C"DATE"%3A20220712%7D%2C%7B"SELECT_REASON"%3A"15"%2C"IMPOSED_ACTION"%3Anull%2C"DISP_TYPE_TEXT"%3Anull%2C"COUNT"%3A180%2C"DATE"%3A20220712%7D%2C%7B"SELECT_REASON"%3A"16"%2C"IMPOSED_ACTION"%3Anull%2C"DISP_TYPE_TEXT"%3Anull%2C"COUNT"%3A30%2C"DATE"%3A20220712%7D%2C%7B"SELECT_REASON"%3A"17"%2C"IMPOSED_ACTION"%3Anull%2C"DISP_TYPE_TEXT"%3Anull%2C"COUNT"%3A6%2C"DATE"%3A20220712%7D%5D%27
The rendered html doesn't have the double quotes. How do I keep the browser from doing this?
Related
I need to create a link to a web page that contains the character # (%23). However, when the URL gets decoded (resulting in a URL containing #), the character is not recognized and the page is not displayed properly.
When I create a link as follows, the %23 just gets replaced with #. This may be the behaviour of the browser, but how can I stop it and reach the proper URL with the string still URL encoded? I would prefer to do it without JavaScript if it is possible.
click
Browser goes to: http://aWebsite.com/somePath/somePage #myParameter
I want to go to: http://aWebsite.com/somePath/somePage %23myParameter
It sounds like you need to encode it a second time. The "%" will become "%25" so you'll have:
click
Edit:
If you want the "#" to be sent to the server as part of the URL, then it's not going to work. The browser treats that as a bookmark so it is removed from the requested URL. Once the page is loaded, the browser will scroll to that bookmark.
You need to doube encode it:
http://example.com/somePath/somePage %2523myParameter
%25 will resolve in % in the final url
Say that I want to provide some data to my client (in the first response, with no latency) via a dynamic <script> element.
<script><%= payload %></script>
Say that payload is the string var data = '</script><script>alert("Muahahaha!")';</script>. An end tag (</script>) will allow users to inject arbitrary scripts into my page. How do I properly sanitize the contents of my script element?
I figure I could change </script> to <\/script> and <!-- to <\!--. Are there any other dangerous strings I need to escape? Is there a better way to provide this "cold start" data?
Edited for non-mutation of data.
If I'm interpreting this correctly. You want to prevent the user from ending the script tag prematurely within the user submitted string. That can be done for html just as you stated with adding the backslash in with the ending tag <\/script>. That is the only escaping you should have to worry about in that case. You shouldn't need to escape html comments as the browser will interpret it as part of the javascript. Perhaps if some older browsers don't interpret script tags default to the type of text/javascript correctly (language="javascript" which is deprecated) adding in type='text/javascript' may be necessary.
Based on Mike Samuel's answer here I may have been wrong about not needing to escape html comments. However I was not able to reproduce it in chrome or chromium.
Assuming that you're doing this:
Payload is set to
var data = '[this is user controlled data]';
and the rest of the code (assignment, quotes and semi-colon) is generated by your application, then the encoding you want is hex entity encoding.
See the OWASP XSS Prevention Cheat Sheet, Rule #3 for more information. This will convert
</script><script>alert("Muahahaha!")
into
var data = '\x3c\x2fscript\x3e\x3cscript\x3ealert\x28\x22Muahahaha\x21\x22\x29';
Try this and you will see this has the advantage of storing the user set string exactly correct, no matter what characters it contains. Additionally it takes care of single and double quote encoding. As a super bonus, it is also suitable for storing in HTML attributes:
<a onclick="alert('[user data]');" />
which normally would have to be HTML encoded again for correct display (because & inside an HTML attribute is interpreted as &). However, hex entity encoding does not include any HTML characters with special meaning so you get two for the price of one.
Update from comments
The OP indicated that the server-side code would be generated in the form
var data = <%= JSON.stringify(data) %>;
The above still applies. It is upto the JSON class to properly hex entity encode values as they're inserted into the JSON. This cannot easily be done outside of the class as you'd have to effectively parse the JSON again to determine the current language context. I wouldn't recommend going for the simple option of escaping the forward slash in the </script> because there are other sequences that can end the grammar context such as CDATA closing tags. Escape properly and your code will be future proof and secure.
Please forgive my lack of knowledge surrounding HTML
I am trying to generate a static HTML page which is rendered in an embedded HTML Browser component in a 3rd party application.
In the HTML Body I have a URL Link embedded within the page.
Access Application
Note that the above URL is "URLEncoded". Specifically, the query string after "encrypt=" is encrypted, and then URLEncoded.
Problem
The HTML browser component embedded in the 3rd party application renders the HTML and all appears fine, EXCEPT that it Decodes the URL String.
This results in a hyperlink with the following URI;
https://mydomain.com.au/Web/Default.ashx?encrypt=x+NWTAVMqprD+ZyFtf1tfBVfIfhqKJ3JCjMmiXiSJSUl6n4FzCuW8mwQfpNskdQEvqU7QiWMdR+bu9y6+iO8eh41XwGJX9l5iCYZunTamhGdkkiR9CqVCrkStu+zAlhqcJYG6M0zztcActpm6iSn99gXDlw8z+Hs8Q88N9fZyXdYpxspgl+AoGZe7hR3zOulJb1YhabyBbf+kfI0dq1YQpHn3SWig8HuWvBANXPrPHDqAOsnT1DtJQ==
Note the now existance of characters such as "+" and "=" which causes the failure to load the application which is the target of the URL.
Is there any way to prevent a browser (browser control?) from decoding this URL string and maintaining its integrity?
I am thinking off the top of my head, and I don't really understand the purpose of this suggestion but will defining a "type" attribute on the Link such as
<a type="application/x-www-form-urlencoded" href="xxx.com/ddddd" class="Action">Access Application</a>
have any effect?
How else can I prevent the browser control from decoding this URL?
Meta Tags in the < head > ???
Thanks in Advance!
Kind Regards
Aaron
We had to escape the % symbol.
For example: changing %2B in the link to %252B (%25 being the escape code for a % symbol). Likewise changing %3D to %253D had the same effect and prevent the client application rendering %3D to a = sign.
We couldn't stop the client application from 'decoding' the URL entirely but at least now it decoded to the correct URL value
I'm trying to include a simple hyperlink in a website:
...Engineers (IEEE) projects:
So that it ends up looking like "...Engineers (IEEE) projects:" with "IEEE" being the hyperlink.
When I click on copy link address and paste the address, instead of getting
http://www.ieee.ucla.edu/
I get
http://www.ieee.ucla.edu/%C3%A2%E2%82%AC%C5%BD
and when I click on the link, it takes me to a 404 page.
Check the link. These special character are added automatically by browser (URL Encoding).
Url Encoding
Use this code and it will work::
IEEE
The proper format to add hyperlink to a html is as follow
(texts to be hyperlink)
and for better understanding go through this link http://www.w3schools.com/html/html_links.asp
%C3%A2%E2%82%AC%C5%BD represents „ which is when you get when a unicode „ is being parsed as Windows-1252 data.
Use straight quotes to delimit attribute values in your real code. You are doing this in the code you have included in the question, but that won't have the effect you are seeing. Presumably your codes are being transformed at some point in your real code.
Add appropriate HTTP headers and <meta> data to tell the browser what encoding your file is really using
I have a php script which generates a bunch of links like so
link
but when I hover over this link or click on it, it really goes to
http://localhost/explorer/index.php?repository_id=default&folder=/mypath/inner/inner2
How do I prevent this behavior and force it to go to http://localhost/explorer/index.php?repository_id=default&folder=%2Fmypath%2Finner%2Finner2
The tool which receives this input needs to have %2F inside of the /
The hover display is often unescaped for ease of use. If you inspect the page source it should still be uri escaped.
When you use the link the GET param will still be uri escaped and get to your php script intact.
You need to encode the URL string you are using. http://php.net/manual/en/function.urlencode.php
Or manually Replace %2 with %252F (% encoded + 2F)