Xss protection on Ampersand

marwi

Hi
I would like to let user input varchars including the Ampersand symbol (&) via Editor. In the database (php server side) it should stored the & symbol and NOT converted to & amp ;

The reason is as this db table will also be used by other applications which are not webbased.

Is there a way to store the & symbol in db ? I know of the server side function ->xss(false) , but I dont want to fully disable XSS protection, so can I just use a render function on the data table? How to do?

Best regards
Marwi

allan

One option would be to us a custom XSS function. HTML Purifier in particular is good, although is is massive which is why I didn't include it by default.

The ultimate way is to disable XSS on write to the database and then use the text renderer in the DataTable to ensure you don't run into XSS issues. It does require a bit more configuration though.

Allan

marwi

I don't fully understand how it works in DataTables. Even when using the option ->xss(false) in the PHP script, I am still not allowed to enter <script> in the Editor. The message after clicking [Update] button is: "A system error has occurred".

On the other hand, when using the option render: $.fn.dataTable.render.text() in the JS file, and I input &#x3c in the Editor, the table shows me < instead of the inputted string.

allan

When the "system error" message is given to you, what is the server sending back in response to the Ajax request? That error message means that the JSON data from the server is not valid JSON.

Allan

marwi

The server's response is

<HTML>
<HEAD>
<TITLE>403 Forbidden</TITLE>
</HEAD>
<BODY>
<H1>Forbidden</H1>
You do not have permission to access this document.
<P>
<HR>
<ADDRESS>
Web Server at test.skeleton
</ADDRESS>
</BODY>
</HTML>

It seems to be as if the hosting provider also has some XSS protection on top. But it only applies on <script> and does not have any impact on single & character.

So I don't know how to test XSS attack with & character, and see the difference between using/not using the text render function.

allan

Just to check I've understood correctly, if you send data which contains a & you get a 403 Forbidden? If you don't, then it correctly updates the database?

That very much sounds like a server configuration. I'm afraid I don't even know what http server you are using? Can you disable that?

Allan

marwi

No, I get 403 if I send data containing <script>. I cannot disable this function in hosting provider's control panel.

I'd like to test for XSS attack containing & and see if the website can be protected by using render: $.fn.dataTable.render.text() . But I dont know how to test it.

allan

Ah I see - you are using the <script> to try and inject Javascript? You could use a DOM0 event for that - <a onclick="alert('Oh oh');">Attempted hack</a>.

Allan

marwi

Your suggestion <a onclick="alert('Oh oh');">Attempted hack</a> is also blocked by the hoster's protection, responding with 403 error. However, they don't block this one: <img src=x onerror="javascript:alert('XSS')">, and when disabling XSS protection in PHP server script, it shows the alert in the DataTable. But when using the render function at the same time ($.fn.dataTable.render.text()), then everything is safe and no alert it shown.

After all, I think the render function is a safe way to protect against XSS if the preferred server side protection is no option (due to I want the input of Ampersand & to be allowed).

Anyway I still don't know the "danger" of the Ampersand in regards to XSS, but this is not a topic related to DataTables.

allan

That's the problem with XSS protection via regex, which it appears your host is doing. There will always be some way around it!

Regarding the ampersand, this SO post on the topic is quite interesting.

Allan