From 918a80c857ae0856f908084b02e9b9ff3f02c11f Mon Sep 17 00:00:00 2001
From: David Grudl <david@grudl.com>
Date: Sat, 24 May 2014 02:40:35 +0200
Subject: [PATCH] Html: added protection against innerHTML mXSS vulnerability
 [Closes nette/nette#1496] (possible BC break)

IE8 for code `<div attr="``foo=bar">` produces invalid innerHTML `<div attr=``foo=bar>`. Adding a space at the end of the attribute forces IE to put quotes around the attribute.

More info:
http://www.nds.rub.de/research/publications/mXSS-Attacks/
http://www.slideshare.net/x00mario/the-innerhtml-apocalypse
---
 src/Utils/Html.php          | 10 ++++++++--
 tests/Utils/Html.basic.phpt |  1 +
 tests/Utils/Html.data.phpt  |  3 ++-
 3 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/src/Utils/Html.php b/src/Utils/Html.php
index a29b01ec3..a384b9e15 100644
--- a/src/Utils/Html.php
+++ b/src/Utils/Html.php
@@ -523,7 +523,10 @@ public function attributes()
 								$v = Json::encode($v);
 							}
 							$q = strpos($v, '"') === FALSE ? '"' : "'";
-							$s .= ' data-' . $k . '=' . $q . str_replace(array('&', $q), array('&amp;', $q === '"' ? '&quot;' : '&#39;'), $v) . $q;
+							$s .= ' data-' . $k . '='
+								. $q . str_replace(array('&', $q), array('&amp;', $q === '"' ? '&quot;' : '&#39;'), $v)
+								. (strpos($v, '`') !== FALSE && strpbrk($v, ' <>"\'') === FALSE ? ' ' : '')
+								. $q;
 						}
 					}
 					continue;
@@ -551,7 +554,10 @@ public function attributes()
 			}
 
 			$q = strpos($value, '"') === FALSE ? '"' : "'";
-			$s .= ' ' . $key . '=' . $q . str_replace(array('&', $q), array('&amp;', $q === '"' ? '&quot;' : '&#39;'), $value) . $q;
+			$s .= ' ' . $key . '='
+				. $q . str_replace(array('&', $q), array('&amp;', $q === '"' ? '&quot;' : '&#39;'), $value)
+				. (strpos($value, '`') !== FALSE && strpbrk($value, ' <>"\'') === FALSE ? ' ' : '')
+				. $q;
 		}
 
 		$s = str_replace('@', '&#64;', $s);
diff --git a/tests/Utils/Html.basic.phpt b/tests/Utils/Html.basic.phpt
index 3493e2d86..30489fbfe 100644
--- a/tests/Utils/Html.basic.phpt
+++ b/tests/Utils/Html.basic.phpt
@@ -66,6 +66,7 @@ test(function() {
 
 test(function() { // attributes escaping
 	Assert::same( '<a one=\'"\' two="\'" three="<>" four="&amp;amp;"></a>', (string) Html::el('a')->one('"')->two("'")->three('<>')->four('&amp;') );
+	Assert::same( '<a one="``xx "></a>' , (string) Html::el('a')->one("``xx") ); // mXSS
 });
 
 
diff --git a/tests/Utils/Html.data.phpt b/tests/Utils/Html.data.phpt
index c49413b43..4d0fbe572 100644
--- a/tests/Utils/Html.data.phpt
+++ b/tests/Utils/Html.data.phpt
@@ -19,8 +19,9 @@ test(function() { // deprecated
 	$el->data['d'] = '';
 	$el->data['e'] = 'two';
 	$el->{'data-x'} = 'x';
+	$el->data['mxss'] = '``two';
 
-	Assert::same( '<div data-a="one" data-d="" data-e="two" data-x="x"></div>', (string) $el );
+	Assert::same( '<div data-a="one" data-d="" data-e="two" data-mxss="``two " data-x="x"></div>', (string) $el );
 });