Grave accent (back-tick) IE mXSS protection and implementation in Utils\Html

lutor
Member | 27
+
0
-

Hi,
in Utils\Html – see https://github.com/…ils/Html.php#L560 – I have found (correct me if I am mistaken) a mXSS protection against old IE's bug, causing that IE interprets grave accent ` character the same way as ' or ", so it is possible to terminate attribute sequence and insert custom code (see https://html5sec.org/#59 – English version) – in this case Nette's Html object appends space to the end of the value.

What I don't understand is this condition:

(strpos($value, '`') !== FALSE && strpbrk($value, ' <>"\'') === FALSE ? ' ' : '')

→ which tells me, that if value contains grave accent and does not contains any of [ <>“'], append space, otherwise leave as is. Can somebody explain me why? Is this condition (considering to old IE's mXSS protection) really correct? Shouldn't be space appended when string DOES contains any of these characters? I am really confused. Or is in this condition hidden any other "magic” which I don't see?

Why am I asking such a nitpicker's question? We are using custom system, that partially uses some parts of Nette (Latte, Utils, …), and for some compatibility and imeplementation reasons we are trying to modify our custom forms to behave like Nette's forms – in the meaning of rendering and escaping of characters (and NO, we can't use Nette Forms).
And while looking for how escaping in Nette's Html attributes is implemented, I have found this line of code, that I really don't understand :-)

Thanks.

enumag
Member | 2128
+
+2
-

Read this commit message:

https://github.com/…989448fb9123

Comments

lutor:

Got it. Thanks!

4 years ago