Possible to inject expression property resulting XSS attack in IE browser by using certain document modes
vijaysn2702 opened this issue · 2 comments
vijaysn2702 commented
if we use css expression property, client side code is getting executed even after applying css encoding.
Example: xss:expression(alert(1));
do we need to validate properties like 'expression' and url only only contains http and https before applying css encoding as per cheat sheet? or is it cheat sheet older one?
jmanico commented
Yea this is a legacy issue with older versions of IE. What version of IE is this a problem with?
And if you submit a PR on this perhaps we can at least modify the Javadoc to explain this.
My advice is, if you need to support older version of IE then be very strict in terms of what you allow in your template. I would not specifically validate out “expression” I would strictly validate what is good and reject the rest.
Can we see a little snippet of the vulnerable code to analyze more? I can give you a better suggest if you do.
Aloha,
--
Jim Manico
@manicode
… On Mar 22, 2021, at 2:38 AM, vijaysn2702 ***@***.***> wrote:
if we use css expression property, client side code is getting executed even after applying css encoding.
Example: xss:expression(alert(1));
do we need to validate properties like 'expression' and url only only contains http and https before applying css encoding?
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or unsubscribe.
jmanico commented
Politely closing this out, its a very old issue and IE is going away.