Xss protection on Ampersand

Xss protection on Ampersand

marwimarwi Posts: 33Questions: 9Answers: 0

Hi
I would like to let user input varchars including the Ampersand symbol (&) via Editor. In the database (php server side) it should stored the & symbol and NOT converted to & amp ;

The reason is as this db table will also be used by other applications which are not webbased.

Is there a way to store the & symbol in db ? I know of the server side function ->xss(false) , but I dont want to fully disable XSS protection, so can I just use a render function on the data table? How to do?

Best regards
Marwi

This question has an accepted answers - jump to answer

Answers

  • allanallan Posts: 63,512Questions: 1Answers: 10,472 Site admin

    One option would be to us a custom XSS function. HTML Purifier in particular is good, although is is massive which is why I didn't include it by default.

    The ultimate way is to disable XSS on write to the database and then use the text renderer in the DataTable to ensure you don't run into XSS issues. It does require a bit more configuration though.

    Allan

  • marwimarwi Posts: 33Questions: 9Answers: 0

    I don't fully understand how it works in DataTables. Even when using the option ->xss(false) in the PHP script, I am still not allowed to enter <script> in the Editor. The message after clicking [Update] button is: "A system error has occurred".

    On the other hand, when using the option render: $.fn.dataTable.render.text() in the JS file, and I input &#x3c in the Editor, the table shows me < instead of the inputted string.

  • allanallan Posts: 63,512Questions: 1Answers: 10,472 Site admin

    When the "system error" message is given to you, what is the server sending back in response to the Ajax request? That error message means that the JSON data from the server is not valid JSON.

    Allan

  • marwimarwi Posts: 33Questions: 9Answers: 0

    The server's response is

    <HTML>
    <HEAD>
    <TITLE>403 Forbidden</TITLE>
    </HEAD>
    <BODY>
    <H1>Forbidden</H1>
    You do not have permission to access this document.
    <P>
    <HR>
    <ADDRESS>
    Web Server at test.skeleton
    </ADDRESS>
    </BODY>
    </HTML>
    

    It seems to be as if the hosting provider also has some XSS protection on top. But it only applies on <script> and does not have any impact on single & character.

    So I don't know how to test XSS attack with & character, and see the difference between using/not using the text render function.

  • allanallan Posts: 63,512Questions: 1Answers: 10,472 Site admin

    Just to check I've understood correctly, if you send data which contains a & you get a 403 Forbidden? If you don't, then it correctly updates the database?

    That very much sounds like a server configuration. I'm afraid I don't even know what http server you are using? Can you disable that?

    Allan

  • marwimarwi Posts: 33Questions: 9Answers: 0

    No, I get 403 if I send data containing <script>. I cannot disable this function in hosting provider's control panel.

    I'd like to test for XSS attack containing & and see if the website can be protected by using render: $.fn.dataTable.render.text() . But I dont know how to test it.

  • allanallan Posts: 63,512Questions: 1Answers: 10,472 Site admin

    Ah I see - you are using the <script> to try and inject Javascript? You could use a DOM0 event for that - <a onclick="alert('Oh oh');">Attempted hack</a>.

    Allan

  • marwimarwi Posts: 33Questions: 9Answers: 0

    Your suggestion <a onclick="alert('Oh oh');">Attempted hack</a> is also blocked by the hoster's protection, responding with 403 error. However, they don't block this one: <img src=x onerror="javascript:alert('XSS')">, and when disabling XSS protection in PHP server script, it shows the alert in the DataTable. But when using the render function at the same time ($.fn.dataTable.render.text()), then everything is safe and no alert it shown.

    After all, I think the render function is a safe way to protect against XSS if the preferred server side protection is no option (due to I want the input of Ampersand & to be allowed).

    Anyway I still don't know the "danger" of the Ampersand in regards to XSS, but this is not a topic related to DataTables.

  • allanallan Posts: 63,512Questions: 1Answers: 10,472 Site admin
    Answer ✓

    That's the problem with XSS protection via regex, which it appears your host is doing. There will always be some way around it!

    Regarding the ampersand, this SO post on the topic is quite interesting.

    Allan

This discussion has been closed.