If you’ve never had your website reported for cross-site scripting (XSS) vulnerabilities then you’re missing out. Of course, it’s great to get it right the first time. But it’s hard to beat that sense that you’re wide open for attack, it’s your fault, and everyone knows it thanks to some white-hat hacker.<\/p>\n
This raises the question how to generally protect against XSS. Of course, there are a lot of ways to screw up. Here’s one of them.<\/p>\n
You have a value on the server (like Here’s the problem: What if Which is valid AND EVIL code.<\/p>\n What if we use the escaping capability of EJS? Are we safe? Sorta.<\/p>\n Let’s bust out the REPL.<\/p>\n You see that using the back fat arrow ( What if you had a number instead of a string? What if you wanted to do the same thing to it? Continuing in the REPL the sample attack would look like this:<\/p>\n Notice that the escaping doesn’t help because there are no quotes in the attack string. In order for escaping to really work it would have to escape semicolons, too.<\/p>\n So, you’re kinda safe as long as you are using strings OR at least match the untrusted string with a RegEx like Why is EJS so broken? Why doesn’t escaping help you escape?<\/p>\n It isn’t broken. The problem is that back fat arrow\u00a0is an HTML escape and you are rendering text into a JavaScript execution context.<\/p>\n For escaping to be reliable you have to match data context with escaping algorithm.<\/strong><\/p><\/blockquote>\n In this case the context is JavaScript<\/em> and the algorithm is HTML<\/em>. Close. But missed it by that much<\/em>.<\/p>\n The Right Way\u2122 to do this is to render it into a meta tag like this:<\/p>\n Notice that here the escaping algorithm (HTML) matches the data context (HTML).<\/p>\n Then you get the value using code like this:<\/p>\n Looking at the Right Way\u2122 it’s no wonder that we take shortcuts.<\/p>\n But seriously, the Right Way\u2122 is much less XSS error prone.<\/p>\n For other ideas on how to get meta data from the DOM using JavaScript you can always Stack Overflow<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":" If you’ve never had your website reported for cross-site scripting (XSS) vulnerabilities then you’re missing out. Of course, it’s great to get it right the first time. But it’s hard to beat that sense that you’re wide open for attack, it’s your fault, and everyone knows it thanks to some white-hat hacker. This raises the… Continue reading Will EJS Escape Save Me From XSS? Sorta<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[28],"tags":[115,116,114],"class_list":["post-329","post","type-post","status-publish","format-standard","hentry","category-developing","tag-ejs","tag-escaping","tag-xss","wow fadeInUp","entry"],"_links":{"self":[{"href":"https:\/\/www.managerjs.com\/blog\/wp-json\/wp\/v2\/posts\/329","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.managerjs.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.managerjs.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.managerjs.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.managerjs.com\/blog\/wp-json\/wp\/v2\/comments?post=329"}],"version-history":[{"count":1,"href":"https:\/\/www.managerjs.com\/blog\/wp-json\/wp\/v2\/posts\/329\/revisions"}],"predecessor-version":[{"id":330,"href":"https:\/\/www.managerjs.com\/blog\/wp-json\/wp\/v2\/posts\/329\/revisions\/330"}],"wp:attachment":[{"href":"https:\/\/www.managerjs.com\/blog\/wp-json\/wp\/v2\/media?parent=329"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.managerjs.com\/blog\/wp-json\/wp\/v2\/categories?post=329"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.managerjs.com\/blog\/wp-json\/wp\/v2\/tags?post=329"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}locale<\/code>) that you want accessible on the client. You realize that you’re building the whole page in EJS anyway so why not plop a script<\/code> tag on the page and pop a var<\/code> into it? So, we render it right into some JavaScript like this:<\/p>\nvar lang = \"<%- locale %>\";\n<\/pre>\n
locale<\/code>‘s value is en\"; doEvil(); \"throw away string literal<\/code><\/strong>? Now we render into a JavaScript execution context the following code<\/p>\nvar lang = \"en\"; doEvil(); \"throw away string literal\";<\/pre>\n
Does <%= Do the Necessary Escaping? Erm…<\/h2>\n
$ node\n> var ejs = require('ejs')\nundefined\n> var locale = 'en\"; doEvil(); \"throw away string literal'\nundefined\n> ejs.render('var lang = \"<%- locale %>\";')\n'var lang = \"en\"; doEvil(); \"throw away string literal\";'\n> ejs.render('var lang = \"<%= locale %>\";')\n'var lang = \"en"; doEvil(); "throw away string literal\";'<\/pre>\n<%=<\/code>) does prevent the evil from running in this case. But it isn’t really a safe technique in general.<\/strong><\/p>\n> var onServer = '6; doEvil();'\nundefined\n> ejs.render('var count = <%= onServer %>')\n'var count = 6; doEvil();'<\/pre>\n\/[^;'\"]*\/<\/code> and use the matched text instead of the full text.<\/p>\nMy Tools Have Betrayed Me!?<\/h2>\n
What’s the Right Way?<\/h2>\n
<meta name=\"lang\" content=\"<%= lang %>\"><\/pre>\n
var metas = document.getElementsByTagName('meta');\nvar i, l = metas.length, lang;\n\nfor (i=0; i < l; ++i) {\n if (metas[i].getAttribute('name') == 'lang') {\n lang = metas[i].getAttribute('content');\n }\n}<\/pre>\n