<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p><font size="+1"><font face="Lucida Grande">Clearly this is a lot
of work, Nathalie, for which many thanks. I don't quite
understand what this document has to do with the RDS exercise
though, would you mind explaining the link?</font></font></p>
<p><font size="+1"><font face="Lucida Grande">Kind regards, <br>
</font></font></p>
<p><font size="+1"><font face="Lucida Grande">Stephanie Perrin</font></font><br>
</p>
<br>
<div class="moz-cite-prefix">On 2016-06-08 17:39, nathalie coupet
via gnso-rds-pdp-wg wrote:<br>
</div>
<blockquote
cite="mid:1777124813.667701.1465421973064.JavaMail.yahoo@mail.yahoo.com"
type="cite"><!--[if gte mso 9]><xml><o:OfficeDocumentSettings><o:AllowPNG/><o:PixelsPerInch>96</o:PixelsPerInch></o:OfficeDocumentSettings></xml><![endif]-->
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<div style="color:#000; background-color:#fff;
font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial,
Lucida Grande, sans-serif;font-size:16px">
<div id="yiv8841879420">
<div id="yui_3_16_0_ym19_1_1465421927814_3372">
<div
style="color:#000;background-color:#fff;font-family:HelveticaNeue,
Helvetica Neue, Helvetica, Arial, Lucida Grande,
sans-serif;font-size:16px;"
id="yui_3_16_0_ym19_1_1465421927814_3371">
<div style="margin:15pt 0in;"
id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3363"><span
style="font-size:13.5pt;color:#4D4D4D;"
id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3364">The
following is a JavaScript security flaw:</span></div>
<div style="border-top:solid #E4E4E4
1.0pt;border-left:none;border-bottom:solid #E4E4E4
1.0pt;border-right:none;padding:0in 0in 0in
0in;background:#FAFAFA;"
id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3366">
<div
style="margin-bottom:0.0001pt;line-height:13.5pt;border:none;padding:0in;"
id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3367"><span
style="font-size:11.5pt;font-family:'Courier
New';color:rgb(51, 51, 51);border:1pt none
windowtext;padding:0in;"
id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3368"><</span><span
style="font-size:11.5pt;font-family:'Courier
New';color:rgb(99, 163, 92);border:1pt none
windowtext;padding:0in;"
id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3369">script</span><span
style="font-size:11.5pt;font-family:'Courier
New';color:rgb(51, 51, 51);border:1pt none
windowtext;padding:0in;"
id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3370">></span></div>
<div
style="margin-bottom:0.0001pt;line-height:13.5pt;border:none;padding:0in;"
id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3372"><span
style="font-size:11.5pt;font-family:'Courier
New';color:rgb(51, 51, 51);border:1pt none
windowtext;padding:0in;"
id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3373">
</span><span
style="font-size:11.5pt;font-family:'Courier
New';color:rgb(167, 29, 93);border:1pt none
windowtext;padding:0in;"
id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3374">var</span><span
style="font-size:11.5pt;font-family:'Courier
New';color:rgb(51, 51, 51);border:1pt none
windowtext;padding:0in;"
id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3375">
str = </span><span
style="font-size:11.5pt;font-family:'Courier
New';color:rgb(223, 80, 0);border:1pt none
windowtext;padding:0in;"
id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3376">"</span><span
style="font-size:11.5pt;font-family:'Courier
New';color:rgb(51, 51, 51);border:1pt none
windowtext;padding:0in;"
id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3377"></</span><span
style="font-size:11.5pt;font-family:'Courier
New';color:rgb(99, 163, 92);border:1pt none
windowtext;padding:0in;"
id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3378">script</span><span
style="font-size:11.5pt;font-family:'Courier
New';color:rgb(51, 51, 51);border:1pt none
windowtext;padding:0in;"
id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3379">><</span><span
style="font-size:11.5pt;font-family:'Courier
New';color:rgb(99, 163, 92);border:1pt none
windowtext;padding:0in;"
id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3380">script</span><span
style="font-size:11.5pt;font-family:'Courier
New';color:rgb(51, 51, 51);border:1pt none
windowtext;padding:0in;"
id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3381">>alert(</span><span
style="font-size:11.5pt;font-family:'Courier
New';color:rgb(223, 80, 0);border:1pt none
windowtext;padding:0in;"
id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3382">'Pwned'</span><span
style="font-size:11.5pt;font-family:'Courier
New';color:rgb(51, 51, 51);border:1pt none
windowtext;padding:0in;"
id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3383">);</</span><span
style="font-size:11.5pt;font-family:'Courier
New';color:rgb(99, 163, 92);border:1pt none
windowtext;padding:0in;"
id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3384">script</span><span
style="font-size:11.5pt;font-family:'Courier
New';color:rgb(51, 51, 51);border:1pt none
windowtext;padding:0in;"
id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3385">>";</span></div>
<div
style="margin-bottom:0.0001pt;line-height:13.5pt;border:none;padding:0in;"
id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3387"><span
style="font-size:11.5pt;font-family:'Courier
New';color:rgb(51, 51, 51);border:1pt none
windowtext;padding:0in;"
id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3388"></</span><span
style="font-size:11.5pt;font-family:'Courier
New';color:rgb(99, 163, 92);border:1pt none
windowtext;padding:0in;"
id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3389">script</span><span
style="font-size:11.5pt;font-family:'Courier
New';color:rgb(51, 51, 51);border:1pt none
windowtext;padding:0in;"
id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3390">></span></div>
</div>
<div style="margin:15pt 0in;"
id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3392"><span
style="font-size:13.5pt;color:#4D4D4D;"
id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3393">The
browser ignores the fact that the</span><span
style="font-size:11.5pt;color:#4D4D4D;border:solid
#E4E4E4 1.0pt;padding:0in;background:#FAFAFA;"
id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3394"><script></span><span
style="font-size:13.5pt;color:#4D4D4D;"
id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3395"> tags
are inside a
JavaScript String, invoking the </span><span
style="font-size:11.5pt;color:#4D4D4D;border:solid
#E4E4E4 1.0pt;padding:0in;background:#FAFAFA;"
id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3396">alert()</span><span
style="font-size:13.5pt;color:#4D4D4D;"
id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3397">function.</span></div>
<div style="margin:15pt 0in;"
id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3399"><span
style="font-size:13.5pt;color:#4D4D4D;"
id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3400">The
reason for this odd behavior is that the page gets
rendered in various stages.
First the HTML is parsed, and a render tree created.
Only then, is the
JavaScript actually executed. In the example above,
the render tree see the </span><span
style="font-size:11.5pt;color:#4D4D4D;border:solid
#E4E4E4 1.0pt;padding:0in;background:#FAFAFA;"
id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3401"><script></span><span
style="font-size:13.5pt;color:#4D4D4D;"
id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3402"> tags,
and is oblivious
to the fact that they’re inside a string; it has no
concept of JavaScript. It
strips these out, and evaluates the script nodes as
usual with our injected
message.</span></div>
<div style="margin:15pt 0in;"
id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3404"><span
style="font-size:13.5pt;color:#4D4D4D;"
id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3405">This
behavior would be little more than a curiosity, were
it not for the common
pattern of injecting JSON into documents, say with
ERB.</span></div>
<div style="border-top:solid #E4E4E4
1.0pt;border-left:none;border-bottom:solid #E4E4E4
1.0pt;border-right:none;padding:0in 0in 0in
0in;background:#FAFAFA;"
id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3407">
<div
style="margin-bottom:0.0001pt;line-height:13.5pt;border:none;padding:0in;"
id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3408"><span
style="font-size:11.5pt;font-family:'Courier
New';color:rgb(51, 51, 51);border:1pt none
windowtext;padding:0in;"
id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3409"><</span><span
style="font-size:11.5pt;font-family:'Courier
New';color:rgb(99, 163, 92);border:1pt none
windowtext;padding:0in;"
id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3410">script</span><span
style="font-size:11.5pt;font-family:'Courier
New';color:rgb(51, 51, 51);border:1pt none
windowtext;padding:0in;"
id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3411">></span></div>
<div
style="margin-bottom:0.0001pt;line-height:13.5pt;border:none;padding:0in;"
id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3413"><span
style="font-size:11.5pt;font-family:'Courier
New';color:rgb(51, 51, 51);border:1pt none
windowtext;padding:0in;"
id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3414">
</span><span
style="font-size:11.5pt;font-family:'Courier
New';color:rgb(167, 29, 93);border:1pt none
windowtext;padding:0in;"
id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3415">var</span><span
style="font-size:11.5pt;font-family:'Courier
New';color:rgb(51, 51, 51);border:1pt none
windowtext;padding:0in;"
id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3416">
users = <%= @users.to_json.html_safe %>;</span></div>
<div
style="margin-bottom:0.0001pt;line-height:13.5pt;border:none;padding:0in;"
id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3418"><span
style="font-size:11.5pt;font-family:'Courier
New';color:rgb(51, 51, 51);border:1pt none
windowtext;padding:0in;"
id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3419"></</span><span
style="font-size:11.5pt;font-family:'Courier
New';color:rgb(99, 163, 92);border:1pt none
windowtext;padding:0in;"
id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3420">script</span><span
style="font-size:11.5pt;font-family:'Courier
New';color:rgb(51, 51, 51);border:1pt none
windowtext;padding:0in;"
id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3421">></span></div>
</div>
<div style="margin:15pt 0in;"
id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3423"><span
style="font-size:13.5pt;color:#4D4D4D;"
id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3424">If
you
have the line above anywhere in your code, and </span><span
style="font-size:11.5pt;color:#4D4D4D;border:solid
#E4E4E4 1.0pt;padding:0in;background:#FAFAFA;"
id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3425">@users</span><span
style="font-size:13.5pt;color:#4D4D4D;"
id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3426"> includes
some user
submitted data, your application is vulnerable to a
XSS attack.</span></div>
<div
id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3162">
</div>
<div style="margin:15pt 0in;" dir="ltr"
id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3428"><b
id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3429"><span
style="font-size:13.5pt;color:#4D4D4D;"
id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3430">[SM-D01-R01]
</span></b><span
style="font-size:13.5pt;color:#4D4D4D;"
id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3431">If
you’re using Rails, thwart this vulnerability by
setting</span><span
style="font-size:11.5pt;color:#4D4D4D;border:solid
#E4E4E4 1.0pt;padding:0in;background:#FAFAFA;"
id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3432">ActiveSupport.escape_html_entities_in_json</span><span
style="font-size:13.5pt;color:#4D4D4D;"
id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3433"> to </span><span
style="font-size:11.5pt;color:#4D4D4D;border:solid
#E4E4E4 1.0pt;padding:0in;background:#FAFAFA;"
id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3434">true</span><span
style="font-size:13.5pt;color:#4D4D4D;"
id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3435">.
The default is</span><span
style="font-size:11.5pt;color:#4D4D4D;border:solid
#E4E4E4 1.0pt;padding:0in;background:#FAFAFA;"
id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3436">false</span><span
style="font-size:13.5pt;color:#4D4D4D;"
id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3437">.</span></div>
<div
id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3161"
dir="ltr"> <a moz-do-not-send="true"
href="https://blog.alexmaccaw.com/a-javascript-security-flaw"
class="enhancr2_0b26a89e-521d-ff5c-b534-22437599d57c"
id="yui_3_16_0_ym19_1_1465421927814_4028">A JavaScript
Security Flaw • Alex MacCaw</a></div>
<div id="yui_3_16_0_ym19_1_1465421927814_4035"><br>
</div>
<div id="enhancr2_0b26a89e-521d-ff5c-b534-22437599d57c"
class="yahoo-link-enhancr-card ymail-preserve-class
ymail-preserve-style"
style="max-width:400px;font-family:'Helvetica Neue',
Helvetica, Arial, sans-serif;"
data-url="https://blog.alexmaccaw.com/a-javascript-security-flaw"
data-type="yenhancr" data-category="article"
data-embed-urldata-size="medium" dir="ltr"
contenteditable="false"> <a moz-do-not-send="true"
href="https://blog.alexmaccaw.com/a-javascript-security-flaw"
style="text-decoration:none !important; color: #000
!important;" class="yahoo-enhancr-cardlink"
target="_blank" rel="noreferrer"
id="yui_3_16_0_ym19_1_1465421927814_4049">
<table class="card-wrapper yahoo-ignore-table"
style="max-width:400px;"
id="yui_3_16_0_ym19_1_1465421927814_4048" border="0"
cellpadding="0" cellspacing="0">
<tbody id="yui_3_16_0_ym19_1_1465421927814_4047">
<tr id="yui_3_16_0_ym19_1_1465421927814_4046">
<td id="yui_3_16_0_ym19_1_1465421927814_4045"
width="400">
<table class="card yahoo-ignore-table"
style="max-width:400px;"
id="yui_3_16_0_ym19_1_1465421927814_4044"
border="0" cellpadding="0" cellspacing="0"
width="100%">
<tbody
id="yui_3_16_0_ym19_1_1465421927814_4043">
<tr
id="yui_3_16_0_ym19_1_1465421927814_4042">
<td class="card-primary-image-cell"
style="background:#000
url('https://s.yimg.com/vv//api/res/1.2/b8fvcLpu4mXSdGUe7Ofolw--/YXBwaWQ9bWFpbDtmaT1maWxsO2g9MjAwO3c9NDAw/https://d2l2xugcou6irs.cloudfront.net/svbtle_logo.png.cf.jpg')
no-repeat center
center;background-size:cover;height:200px;position:relative;"
id="yui_3_16_0_ym19_1_1465421927814_4041"
background="https://s.yimg.com/vv//api/res/1.2/b8fvcLpu4mXSdGUe7Ofolw--/YXBwaWQ9bWFpbDtmaT1maWxsO2g9MjAwO3c9NDAw/https://d2l2xugcou6irs.cloudfront.net/svbtle_logo.png.cf.jpg"
bgcolor="#000000" valign="top">
<!--[if gte mso 9]><v:rect fill="true" stroke="false" style="width:400px;height:218px;position:absolute;top:0;left:0;"><v:fill type="frame" color="#000000" src="https://s.yimg.com/vv//api/res/1.2/b8fvcLpu4mXSdGUe7Ofolw--/YXBwaWQ9bWFpbDtmaT1maWxsO2g9MjAwO3c9NDAw/https://d2l2xugcou6irs.cloudfront.net/svbtle_logo.png.cf.jpg"/></v:rect><![endif]-->
<table class="yahoo-ignore-table"
valign="top" style="width:100%;"
id="yui_3_16_0_ym19_1_1465421927814_4040"
border="0" cellpadding="0"
cellspacing="0">
<tbody
id="yui_3_16_0_ym19_1_1465421927814_4039">
<tr
id="yui_3_16_0_ym19_1_1465421927814_4038">
<td
style="background:transparent
url('https://s.yimg.com/nq/storm/assets/enhancrV2/12/overlay-tile.png')
repeat left top;height:200px;"
id="yui_3_16_0_ym19_1_1465421927814_4037"
background="https://s.yimg.com/nq/storm/assets/enhancrV2/12/overlay-tile.png"
bgcolor="transparent"
valign="top">
<!--[if gte mso 9]><v:rect fill="true" stroke="false" style="width:400px;height:218px;position:absolute;top:-18px;left:0;"><v:fill type="pattern" color="#000000" src="https://s.yimg.com/nq/storm/assets/enhancrV2/12/overlay-tile.png"/><v:textbox inset="0,0,20px,0"><![endif]-->
<table
class="yahoo-ignore-table"
style="width:100%;height:185px;min-height:185px;"
id="yui_3_16_0_ym19_1_1465421927814_4036" height="185">
<tbody
id="yui_3_16_0_ym19_1_1465421927814_4067">
<tr
id="yui_3_16_0_ym19_1_1465421927814_4066">
<td
class="card-richInfo2"
style="text-align:left;text-align:left;padding:15px 0 0
15px;vertical-align:top;">
<br>
</td>
<td class="card-actions"
style="text-align:right;padding:15px 15px 0 0;vertical-align:top;"
id="yui_3_16_0_ym19_1_1465421927814_4065">
<br>
</td>
</tr>
</tbody>
</table>
<!--[if gte mso 9]></v:textbox></v:rect><![endif]-->
</td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr>
<td>
<table class="card-info
yahoo-ignore-table"
style="background:#fff;position:relative;z-index:2;width:95%;max-width:380px;border:1px
solid #e0e4e9;border-bottom:3px
solid
#000000;margin-top:-40px;margin-left:auto;margin-right:auto;"
align="center" border="0"
cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td
style="background-color:#ffffff;padding:16px
0 16px
12px;vertical-align:top;"> <br>
</td>
<td
style="vertical-align:middle;padding:16px
12px;width:99%;">
<h2 class="card-title"
style="font-size: 16px;
line-height:19px; margin:0 0
4px 0;font-family:'Helvetica
Neue', Helvetica, Arial,
sans-serif;word-break:break-word;">A
JavaScript Security Flaw •
Alex MacCaw</h2>
<div class="card-description"
style="font-size:11px;line-height:15px;color:#999;word-break:break-word;">The
following is a JavaScript
security flaw:
<script> var str =</div>
</td>
<td
style="text-align:right;padding:16px
12px 16px 0;"> <br>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</a></div>
<div><br>
</div>
<div class="yiv8841879420signature"
id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3160">Nathalie
Coupet </div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
gnso-rds-pdp-wg mailing list
<a class="moz-txt-link-abbreviated" href="mailto:gnso-rds-pdp-wg@icann.org">gnso-rds-pdp-wg@icann.org</a>
<a class="moz-txt-link-freetext" href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</a></pre>
</blockquote>
<br>
</body>
</html>