���դ�twitter XSS�פ�ϡ��դ����twitter.com�ϻȤ�ʤ���ˤϱ󤯤κפ���Ҥ��ä��ΤǤ��������ä����μ����ε���ʤΤǡ�
Kazuho@Cybozu Labs: (Twitter �� XSS �ȼ����˴�Ϣ����) ��¤���ƥ����Ȥ����������������׼�ˡ�ˤĤ������������ץ������ϡ����ƤΥ롼���Ʊ����Ŭ�Ѥ��뤳�ȤǤ���
����ϻ�ǰ�ʤ���(�����餯)ɬ�׾��Ǥ��äƤ⽽ʬ���ǤϤ���ޤ���
��������(���ʤꤨ���������)����ɽ����tweet��parse���Ƥ����Ȥ��ޤ���
re_http = '(?:https?://[\\x21-\\x7e]+)';
re_user = '(?:[@][0-9A-Za-z_]{1,15})';
re_hashtag = '(?:[#]\\S+)';
re_entities = '(?:[<>&])';
re_tweet = new RegExp([re_http, re_user, re_hashtag, re_entities].join('|'), 'g');
�������
�ʲ������ƤΥ롼���Ʊ����Ŭ�Ѥ��Ƥ��ޤ���������Ǥ��äѤ�XSS�Ȥʤ�ޤ���
parse_tweet_wrong = function(s){
return s.replace(re_tweet, function(m0){
if (m0.match(/^[<>&]$/)){
return {'<':'<','>':'>','&':'&'}[m0];
}if (m0.match(/^http/)){
return '<a href="' + m0 + '">' + m0 + '</a>';
}else if(m0.match(/^\@/)) {
return '@<a href="http://twitter.com/'
+ m0.substr(1) + '">' + m0.substr(1) + '</a>';
}else if(m0.match(/^\#/)) {
return '<a href="http://twitter.com/search?q='
+ encodeURIComponent(m0) + '">'
+ m0 + '</a>';
}else{
return m0;
}
});
};
- Tweet:
- Parsed:
��ʸ�κǸ�Υ�󥯤ϡ�<a href="http://twitter.com/#@"onmouseover="alert(location.href)"/">��</a>��Ÿ������Ƥ��ޤ��ΤǤ��͡�href��"���Ĥ�����äƤ���櫓�Ǥ����ޤ����åµï¿½ï¿½ï¿½ï¿½ï¿½ï¿½É½ï¿½ï¿½ï¿½Ï¡ï¿½Mutually Exclusive�ǤϤ���ޤ���URI��Ҥä���������ɽ������¾������ɽ����ְ��߹���ǡפ��ޤ��Ȥ������ȤǤ���
������
�פ�href����ˡ�"�����������ʤ����������٤����äƤ��ޤ��С��֤�����404�ʥ�󥯡פˤʤ�ΤǤ����顢��������Ф褤�ΤǤ���kazuho�����snippet��(�����餯HTML::Entities��)encode_entities()�Ǥ����äƤ���ΤǤ�������â¤ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½Æ¤ï¿½ï¿½ï¿½Î¤Ç¤ï¿½ï¿½ï¿½ï¿½ï¿½JavaScript�ǤϤɤ�����Ф褤�Ǥ��礦?
����ʼ꤬�Ȥ��ޤ���
make_link = function(href, text) {
var a = document.createElement('a');
a.href = href;
a.appendChild(document.createTextNode(text));
var div = document.createElement('div');
div.appendChild(a);
return div.innerHTML;
};
parse_tweet_right = function(s) {
return s.replace(re_tweet, function(m0) {
if (m0.match(/^[<>&]$/)){
return {'<':'<','>':'>','&':'&'}[m0];
}else if (m0.match(/^http/)) {
return make_link(m0, m0);
}else if (m0.match(/^\@/)) {
return '@' + make_link(
'http://twitter.com/' + m0.substr(1), m0.substr(1)
);
}else if (m0.match(/^\#/)) {
return make_link(
'http://twitter.com/search?q=' + encodeURIComponent(m0), m0
);
}else {
return m0;
}
});
};
- Tweet:
- Parsed:
�������DOM Element���ä������Ȥ���Ф��Ƥ���Ȥ����櫓�Ǥ���
����ɽ����("����óݤ��Ƥ��ޤ��褦��)����������ʤ�ΤǤ⡢�����XSS���ɤ���Ƥ��ޤ���
�̤Τ������򤹤�С�
���������ץ�����������ϡ����ä��ó¤¤ï¿½ï¿½ï¿½È¹ï¿½Â¤ï¿½ï¿½ï¿½ï¿½
�Ȥ������Ȥˤʤ�Ǥ��礦����
Dan the Structured Programmer
Dan the Blogger Hereof