Backbone Patterns JSON preloading XSS vulnerability

I was skimming through Backbone Patterns by Rico Sta. Cruz to see if I could learn something from the Backbone practices and apply it to our own in house systems that achieve pretty much the same things in a bit different manner.

The following code caught my eye as we at Meetin.gs have been bitten by the same problem in the past:

<script>
 App.photos = new Photos(<?php echo json_encode($photos); ?>);
</script>

The data in $photos is usually pretty arbitrary and it is hard to make sure that it does not contain something like this:

{ "name" : "</script><script>alert(\"xss\")</script>" }

The way we at Meetin.gs have solved this XSS vulnerability is by URI encoding the JSON on the page and then decoding it with decodeURIComponent before passing it to a JSON parser. Here is a quick (completely untested ) example with jQuery:

App.photos = new Photos( jQuery.parseJSON( decodeURIComponent(
    <?php echo rawurlencode( json_encode( $photos ) ); ?>
) ) );

It would be nice to see at least a note of this on the Backbone Patterns page as this vulnerability is not an easy one to catch and might end up in many places.

This vulnerability was at first brought to our attention by Harry Sintonen so huge thanks to him for it.

Share and Enjoy:
  • services sprite Backbone Patterns JSON preloading XSS vulnerability
  • services sprite Backbone Patterns JSON preloading XSS vulnerability
  • services sprite Backbone Patterns JSON preloading XSS vulnerability
  • services sprite Backbone Patterns JSON preloading XSS vulnerability
  • services sprite Backbone Patterns JSON preloading XSS vulnerability
  • services sprite Backbone Patterns JSON preloading XSS vulnerability
  • services sprite Backbone Patterns JSON preloading XSS vulnerability

2 Responses to “Backbone Patterns JSON preloading XSS vulnerability”

  1. Keith Ivey says:

    The json_encode() will backslash the slashes, so you’ll get

    {“name”:”<\/script><script>alert(\”xss\”)<\/script>”}

    which shouldn’t be a problem, right?

  2. Esailija says:

    My last comment didn’t come up properly, see http://codepad.org/bodpfwRA

Leave a Reply

Spam Protection by WP-SpamFree