I am writing a report about XML injection attacks in HTML. Thus I am going to have (mangled) HTML content as the content of my HTML. As such I am trying to wrap my HTML content in CDATA blocks but it does seem to be rendering properly.
I have the (validated by W3C) document:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>report</title>
</head>
<body>
<div><![CDATA[AuthType=<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert('XSS')</SCRIPT>">]]></div>
</body>
</html>
From my understanding of the Wikipedia article this means that the content should be “marked for the parser to interpret as only character data, not markup”. So the output should be
AuthType=<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert('XSS')</SCRIPT>">
However, in both Chrome 21.0.1180.60 m and Firefox 14.0.1 all that renders is
]]>
What is going on? Shouldn’t everything from the <![CDATA[ to the first ]]> appear on screen as if every character had been escaped?
CDATA sections are recognized by browsers only in XML parsing mode. In legacy HTML mode, strange things happen, as you have seen.
So you would need to configure the server to send the document with an XHTML Content-Type. This in turn would prevent old versions of IE (up to IE 8) from not rendering the document at all.
The practical ways of displaying HTML tags as content of an HTML document are:
a) Present each
<as<and each&as&. Works in legacy HTML ande in XHTML.b) Wrap the data in an
xmpelement. Works in legacy HTML (only – so no XML Content-Type, but just declaring an XHTML doctype doesn’t matter, it gets ignored anyway). Example:The
xmpmarkup also implies a monospace font andpre-like rendering where whitespace is honored. But these can be overridden with CSS. Thexmpelement was dropped from HTML specs long ago but is supported by browsers quite well.