Microsoft toStaticHTML HTML Sanitizing Information Leak Vulnerability

Aleph Research Advisory





Microsoft Internet Explorer


Apply patches.

Technical Details

An attacker is able to create a specially formed CSS that after passing through the toStaticHTML function will contain an expression that will trigger a JavaScript call.

The following JavaScript code will demonstrate the vulnerability:

<style>div{color:rgb(0,0,0)&a=expression(alert(1))}</style>Adi Cohen"))</script>  

The reason this code bypass the filter engine is due to two reasons:

The filtering engine allows the string “expression(“ to exists in “non-dangerous” locations within the CSS. The filtering engine encodes characters such as ( & , < , > , etc…) to their HTML encoded entities (& , > , < , etc…). When combining these two facts the attacker is able to use the semi-colon of the HTML encoded entities representation in order to terminate CSS sentence and move to a new one without having the filtering engine realize it, thus breaking the state machine and bypassing the filter.

Every application that relies on the function toStaticHTML to sanitize user supplied data is now probably vulnerable to XSS.



  • Adi Cohen

External References