Paid Advertising is
ha.ckers sla.cking
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Breaking out of JS String Assignment?
Posted by: Visha
Date: May 22, 2014 07:10AM

I have a user controlled JavaScript string which is assigned to a variable, e.g.

var s = '(my input)';

Only three characters are converted: ' < and >

< and > are replaced with &#60; and &#62; , respectively.

The single quote (' / %27) is replaced with

' + "'" + '

For example, an input of


will result in

var s = 'a' + "'" + 'b';

and an input of 'aa'bb' will result in

var s = '' + "'" + 'aa' + "'" + 'bb' + "'" + '';

\ and / are neither converted nor escaped, so I can insert things like \u0022 or \n and I can escape the trailing ' in the string assignment.

For example, I can insert 123\ which will result in

var s = '123\';

This breaks the JavaScript syntax but does not allow me to inject code that will be interpreted.

Any ideas how to break out?

Options: ReplyQuote

Sorry, only registered users may post in this forum.