Can XSS be introduced by changing the language encoding?

Question

Can XSS be introduced by changing the language encoding?

Suppose I have a web application using Latin1 or some standard default English language encoding. I want to change the application to use UTF-8 or possibly another language. Can you prove that this change will introduce XSS?

This is not a PHP-specific question, but in PHP you can show a case where it htmlspecialchars($var,ENT_QUOTES);is vulnerable to XSS, but htmlspecialchars($var,ENT_QUOTES,'UTF-8');not.

+5

security utf-8 xss

rook Jan 7 '11 at 17:41

source share

2 answers

, , htmlspecialchars , .

<?php
$s = htmlspecialchars($_GET['x'], ENT_QUOTES);
$s_utf8 = htmlspecialchars($_GET['x'], ENT_QUOTES, 'UTF-8');

if(!empty($s))
  print "default: " . $_GET['x'] . "<br>\n";

if(!empty($s_utf8))
  print "utf8: " . $_GET['x'] . "<br>\n"
?>

XSS UTF-8,

http://site/silly.php?x=<script>alert(0)</script>%fe

htmlspecialchars UTF-8 . $_GET - , .

, 1 UTF-8, , , htmlspecialchars , .

, (, , ) XSS . , strchr(), strlen() , , % 00 . (, HTML.)

, , . .

+4

Mike 07 . '11 23:51

dan04 · Accepted Answer · 2011-01-09T15:11:13+0000

From RFC 3629 :

10. Security Considerations
UTF-8 , UTF-8. UTF-8, , UTF-8.
, UTF-8 , . , NUL 00, C0 80 NUL. , 2F 2E 2E 2F ( "/../" ), 2F C0 AE 2E 2F. 2001 ; , .

, UTF-8.

, , , . HTML ASCII, UTF-8, ISO-8859-1, ASCII. htmlspecialchars , .

, ASCII. , GB18030 ASCII 0x30 . HYPHEN ‐ (U + 2010) A9 5C, ASCII. , SQL injection.

Can XSS be introduced by changing the language encoding?

More articles: