7

Is it possible to inject XSS in a JavaScript variable if a website inserts HTML encoded, user input in a double quoted string?

var userString = "perfectly "safe" input from user?";

Improve this question
2
  • 2
    Depends on what you're going to do with the string.
    – Rob W
    CommentedJun 26, 2013 at 21:41
  • If nothing done with it and in script tag?
    – user27675
    CommentedJun 26, 2013 at 22:19

1 Answer 1

Reset to default
4

It is probably not possible to get XSS given this simple character restriction. However, an attacker could inject an escape character, for example:

var userString = "perfectly "safe" input from user?\"+"+alert(1);

In this case the attacker would be injecting a \ and an alert(1) in two different variables which existing in two locations within the <script> tag. Escape characters are a type of control character that are commonly forgotten by developers when sanitizing attacker controlled data.

... also hopefully you took this into consideration:

<script> var userString = "</script><script>alert(1)//" </script>
Improve this answer
4
  • 2
    In the second example, if " is encoded into &quot;, I hope < and > are too!
    – Ry-
    CommentedJun 26, 2013 at 23:02
  • @minitech the op failed to mention such a critical detail!
    – rook
    CommentedJun 27, 2013 at 2:48
  • 1
    HTML encoding includes &lt; &amp; &gt;, but good to know for completeness.
    – user27675
    CommentedJun 27, 2013 at 2:59
  • 1
    @user27675 Yes, any character can be HTML encoded, as the HEX format &#xhhhh; supports all of ASCII and even Unicode! However, you did not mention what HTML encode function you used.
    – rook
    CommentedJun 27, 2013 at 3:01

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.