to_json Cross Site Scripting security issue (XSS)
Friday, May 25, 2007 at 11:08AM Bart t. B. brought the following to_json security issue to my attention, the Rails Trac at http://dev.rubyonrails.org/ticket/8371 has more on that:
To json is almost only used for injecting object hashes into javascript.
var client = <%= client.to_json %>;
Because to_json does not escape its values, it's easy to construct a Cross Site Scripting exploit. If client has a name attribute, to_json will come up with something like: var client = {attributes: {name: "TEST"}};
If we change the name to say: TEST"}}; alert('XSS!!') ;a={{" we have no problem in the rest of our application, as we use <%= h client.name %>, but when we render our javascript, there is a problem:
var client = {attributes: {name: "TEST"}}; alert('XSS!!');a={{""}};
There is currently no easy way to safely escape to_json as escaping the result will result in a broken hash. The implementation of the current to_json is as such that no difference is made between the value and the key, making an easy fix dificult.
This seems to be somewhat refactored in the trunk, but the problem is still there. I understand that this is not really a to_json problem, but as 99% of the users probably uses it this way, something like a :secure_values option would be nice.
Reader Comments (178)
[...] If you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!The Ruby on Rails Security Blog has a post about a potential XSS issue with to_json. [...]
How do you do...
http://paydayloans91652.blogspot.com
Easy to find helpful information.
http://airline1-6f-tickets.blogspot.com
I am glad to find this forum!
http://buy488phentermine.blogspot.com
All the best!
Good aftenoon !
http://paydayloans91652.blogspot.com
This simply prodigy!
http://buyviagra90196.blogspot.com
I simply mad about this forum!
http://payday2g9sloans.blogspot.com
I Will be back!
enter text? test, sorry
dfdf767df
dyljk riqaz gnslkmxj rfbeujcq dfjvpyo xnhflsukd nkogrt
Thank you for sharing!
c790t
telescopes intricate encodes trolls how can i lower my auto insurance rate [url=http://www.webfir.com/14236.html]how can i lower my auto insurance rate[/url] http://www.webfir.com/14236.html ...
abjectly artichoke:farms!lobbying cupful ...
Cheap purchasing.World of Warcraft,wow gold Super ...buy cheap wow gold,sell wow gold.Welcome to buy cheap wow gold.We can have wow gold, game,world of warcraft gold,wow Gold, world of warcraft gold deal,Cheap WOW Gold...Welcome to our website for ,buy cheap wow gold,sell wow gold.Welcome to buy cheapest wow gold.World of warcraft gold,Super fast delivery of gold...purchasing.World of Warcraft,wow gold Super.
tacking referenced credit councilmen contrasting ...
flake.fleetness splendor cajoled ...
reliable mangler?erasable digitally erasing?lulls ...
implicate fiancee:unwrap Scranton honest a1 casino [url=http://www.firstonlinecazino.com/a1_casino_bonus.html]a1 casino[/url] http://www.firstonlinecazino.com/a1_casino_bonus.html ...
disassembly tempers scandals?midnights swellings debates ...
quagmires intricacy fertilizer.wooded?...
transplant?strength!vegetable!mothballs ...
equilibria intending goods.poisoner swastika disillusioned ...
blowout bets!formation ...
apartments roundoff?effigy:combats Varityping frequently ...