HTML Sanitizing Information Disclosure - CVE-2011-1252
HTML fragments from dynamic and potentially malicious content.
If an attacker is able to break the filtering mechanism and pass malicious code through this function, he/she may be
able to perform HTML injection based attacks (i.e. XSS).
An attacker is able to create a specially formed CSS that after passing through the toStaticHTML function will contain
The reason this code bypass the filter engine is due to two reasons:
- The filtering engine allows the string "expression(" to exists in "non-dangerous" locations within the CSS.
- The filtering engine encodes characters such as ( & , < , > , etc…) to their HTML encoded entities (& , > , < , etc…).
When combining these two facts the attacker is able to use the semi-colon of the HTML encoded entities
representation in order to terminate a CSS sentence and move to a new one without having the filtering engine
realize it, thus breaking the state machine and bypassing the filter.
Every application that relies on the function toStaticHTML to sanitize user supplied data is now probably
vulnerable to XSS.
Discovered by - Adi Cohen, IBM Application Security Research