Subject: Re: [xsl] XSL Injection, is it possible?|
From: "G. T. Stresen-Reuter" <tedmasterweb@xxxxxxx>
Date: Tue, 30 May 2006 12:56:27 +0100
Currently my sanitizing function just escapes <, >, ', and " in theIf you are taking in a string and want to ensure that it is encoded in
XML as itself (in character data) rather than markup then you need
to escape < and & (and > if it follows ]]) you don't need to escape " or
' unless you are putting the string in attribute values.
Are these characters recognized by the XSLT engine if they are hex or unicode encoded?
All XML text is unicode encodes in one way or another, so it's not quite
clear what you mean there. Encoding issues are resolved by the XML
parser before XSLT really sees the input. If you are taking unknown text
you should be escaping & as & so then a character ref such as &#a0;
would be escaped tp &#a0;.
but I was wondering if anyone knows of other vectors by which attackers can enter
attacks are as likely to come from what is inserted into XML character data as from any XML markup that is inserted. Specifically if the stylesheets are generating html then if there is a danger of script being inserted you need to quote (or disable) possible script syntax.
|<- Previous||Index||Next ->|
|Re: [xsl] XSL Injection, is it poss, David Carlisle||Thread||Re: [xsl] XSL Injection, is it poss, Dimitre Novatchev|
|RE: [xsl] Problem involving positio, Florent Georges||Date||Re: [xsl] XSL Injection, is it poss, G. T. Stresen-Reuter|