Welcome! » Log In » Create A New Profile

<script>alert('You have been pwned')</script> purification

Posted by cluelesscoder 

Hi - my colleague noticed that this input (using version 4.7.0) did not seem to ultimately properly sanitized and ended up executing when it reached the frontend: <script>alert('You have been pwned')</script>

It is eventually inserted into a handlebars template.

<script>alert("you have been megapwned by G")</script> seemed to be properly escaped.

Is this intended behavior? I thought maybe it was related to something like the issue mentioned at http://htmlpurifier.org/phorum/read.php?3,7755,7755#msg-7755 since this text is technically already escaped.

Yeah, this is not HTML Purifier's problem: whatever it's output, it was properly escaped; the problem is some later frontend code *unescaping* the escapes and interpreting the HTML, whatever it is. That's wrong wrong wrong.

Author:
Your Email:

Subject:

HTML input is enabled. Make sure you escape all HTML and angled brackets with &lt; and &gt;.

Auto-paragraphing is enabled. Double newlines will be converted to paragraphs; for single newlines, use the pre tag.

Allowed tags: a, abbr, acronym, b, blockquote, caption, cite, code, dd, del, dfn, div, dl, dt, em, i, ins, kbd, li, ol, p, pre, s, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, var.

For inputting literal code such as HTML and PHP for display, use CDATA tags to auto-escape your angled brackets, and pre to preserve newlines:

<pre><![CDATA[
Place code here
]]></pre>

Power users, you can hide this notice with:

.htmlpurifier-help {display:none;}

Message: