Bug #23377
closedRemoveXSS exposes XSS vulnerability for double encoded characters
0%
Description
One feature/task of RemoveXSS is the decoding of Unicode numerical/hex encoded characters. This kind of normalization is done before RemoveXSS searches for potential malicious strings.
The here reported vulnerability uses this feature to circumvent the XSS detection. It uses a double encoded character. Outputting such string normally would not be a XSS problem as browsers won't render XSS strings for such double encoded characters. However, together with RemoveXSS it becomes a problem. A double encoded character becomes malicious after passing the RemoveXSS check.
The solution is to do the decoding within a loop. Looping is done as long as regex patterns match encoded characters.
Please use the attached unit tests! Some tests will fail for double encoded chacters with the current TYPO3 Core implementation. After applying the RemoveXSS patch all tests should pass.
OTRS-X-Reference: #2010072910000039
Reporter: Franz G. Jahn (cron IT)
Initial mitigation patch provided by reporter.
To be committed:- additional unit tests regarding encoded characters
- RemoveXSS patch
(issue imported from #M15461)
Files