Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Evasive transform for apparent HTML comments in quoted strings

See original GitHub issue

bundleSource contains “evasive transforms”, that is, it transforms JavaScript modules into JavaScript modules that can get past the SES censorship regular expressions. The soundness of this design is that the SES shim runtime can’t afford to carry a full JavaScript parser, and assumes significantly less risk by not including a JS parser in its trusted compute base (TCB). However, the build step for an archive or bundle can afford to perform transformations that allow code to evade the censor with full awareness of the syntax tree.

One additional transform we could include would allow HTML comments to appear inside JavaScript strings, as described by @naugtur in https://github.com/endojs/endo/issues/1207.

"<!--" is safe, but censored.

"<!" + "--" is equivalent, safe, and not censored.

The same can be achieved in template literals, as in:

const before = `<!--`;
const after = `${'<'}!--`;

Issue Analytics

  • State:open
  • Created a year ago
  • Comments:13 (13 by maintainers)

github_iconTop GitHub Comments

1reaction
gibson042commented, Jun 16, 2022

I don’t think so, because escape sequences are observable by the function being called:

(strings => {
  const [raw] = strings.raw, [cooked] = strings;
  console.log(JSON.stringify({raw, cooked}));
  return cooked === raw;
})`<!-- \x3C!--`;
// returns: false
// logs: {"raw":"<!-- \\x3C!--","cooked":"<!-- <!--"}
0reactions
naugturcommented, Jun 20, 2022

As for the evasive transform’s code itself, it’d be nice to get them out of bundleSource where it’s coupled with the surrounding code and offer a bunch of string to string and/or Babel AST evasive transforms to mix and match.

Having trouble reaching those and selecting only the ones I want to use I ended up writing a separate transform here packages/experiment-run-cli/src/sesEvasionTransform.js

Read more comments on GitHub >

github_iconTop Results From Across the Web

XSS JavaScript Double Quoted String with HTML Escaped ...
Is it possible to inject XSS in a JavaScript variable if a website inserts HTML encoded, user input in a double quoted string?...
Read more >
Html comments between double quotation [duplicate]
So I just want to note that while you can't use html comments in the manner that the OP wants, can you not...
Read more >
Quotes and XSS - Planning Your Escape
Sometimes, rudimentary input validation or output escaping prevents the execution of a script in the meta tag. Instead of attempting to embed ...
Read more >
Backslash Powered Scanning: hunting unknown ...
When faced with injection into a string, Backslash Powered Scanner will first identify the type of quote in use, then the concatenation sequence ......
Read more >
Quoting in HTML: Quotations, Citations, and Blockquotes
That cite attribute isn't visible to the user by default. You could add it in with a sprinkle of CSS magic like the...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

marshal: Allow promise stand-ins

Next page

eventual-send could wrap errors when target resolution throws