Loading ...
Sorry, an error occurred while loading the content.

113RE: [caplet] Re: ADsafe, Take 6

Expand Messages
  • Larry Masinter
    Oct 19, 2007
    • 0 Attachment

      I think you got it backward: URIs are sequences of characters, not bytes.  and in (X)HTML, "URI" is really "IRI" – the XHTML spec allows full Unicode (10646) characters which are UTF8 and then hex-encoded if you need an (old-fashioned) URI.

       

       

       

      From: caplet@yahoogroups.com [mailto:caplet@yahoogroups.com] On Behalf Of Mike Samuel
      Sent: Wednesday, October 17, 2007 4:16 PM
      To: caplet@yahoogroups.com
      Subject: Re: [caplet] Re: ADsafe, Take 6

       

      RFC 3986 disallows the null byte in URIs, and says URIs are sequences of bytes, not characters, so 65533 is out of range.

      In your attribute whitelist, can't you identify all whose value is a URI or URI Reference, and restrict the unescaped value to the union of the reserved and unreserved characters and '%'.

            unreserved  = ALPHA / DIGIT / "-" / "." / "_" / "~"

            reserved    = gen-delims / sub-delims

            gen-delims  = ":" / "/" / "?" / "#" / "[" / "]" / "@"


            sub-delims  = "!" / "$" / "&" / "'" / "(" / ")"
                        / "*" / "+" / "," / ";" / "="
        


      cheers,
      mike

      On 17/10/2007, collin_jackson <collinj@...> wrote:

      I'm not pasting. I'm reading the value of a textarea into JSLint
      directly using JavaScript.

      See http://crypto.stanford.edu/jsonrequest/nullbyte2.html

      It looks like Firefox is converting null bytes to Unicode character
      65533, which isn't rejected by JSLint. So all you need to do is reject
      Unicode character 65533 to defeat this attack.

      (Note that null bytes vanish in IE, which is fine as long as Firefox
      rejects them.)

      --- In caplet@yahoogroups.com, "Douglas Crockford" <douglas@...> wrote:

      >
      > --- In
      target="_blank">caplet@yahoogroups.com, "collin_jackson" <collinj@> wrote:
      > >
      > > Null byte between "java" and
      "script" passes JSLint on Firefox
      despite
      > > being an attack on IE
      >
      > I scan every line for null and other characters. I am guessing
      that
      > the null is lost in the browser's paste process. In
      production,
      > inspection will be done on files, so I don't think that will
      be a
      problem.
      >

       

    • Show all 30 messages in this topic