def is_executable(self):
script_text = self.get_context_content()
for js_context in get_js_context_iter(script_text, self.payload):
# At least one of the contexts where the payload is echoed in the
# script text needs to be executable
if js_context.is_executable():
return True
return False
def is_executable(self):
script_text = self.get_context_content()
for js_context in get_js_context_iter(script_text, self.payload):
# At least one of the contexts where the payload is echoed in the
# script text needs to be executable
if js_context.is_executable():
return True
return False
def can_break(self):
# If we can break out of the context then we're done
if super(ScriptText, self).can_break():
return True
script_text = self.get_context_content()
for js_context in get_js_context_iter(script_text, self.payload):
# At least one of the contexts where the payload is echoed in the
# script text needs to be escaped from
if js_context.can_break():
return True
return False
def can_break(self):
# If we can break out of the context then we're done
if super(ScriptText, self).can_break():
return True
script_text = self.get_context_content()
for js_context in get_js_context_iter(script_text, self.payload):
# At least one of the contexts where the payload is echoed in the
# script text needs to be escaped from
if js_context.can_break():
return True
return False
def is_executable_js_event(self):
"""
Handle cases like this:
<h1 onmouseover="do_something(PAYLOAD)">This is a header</h1>
"""
if self.name not in JS_EVENTS:
return False
# Here I replace the javascript: at the beginning, which might not
# be there (not required by browsers) but supported in some
script_text = self.extract_code()
# Delegate the can_break to the JavaScript parser
for js_context in get_js_context_iter(script_text, self.payload):
# At least one of the contexts where the payload is echoed in the
# script text needs to be escaped from
if js_context.is_executable():
return True
return False
def is_executable_js_event(self):
"""
Handle cases like this:
<h1 onmouseover="do_something(PAYLOAD)">This is a header</h1>
"""
if self.name not in JS_EVENTS:
return False
# Here I replace the javascript: at the beginning, which might not
# be there (not required by browsers) but supported in some
script_text = self.extract_code()
# Delegate the can_break to the JavaScript parser
for js_context in get_js_context_iter(script_text, self.payload):
# At least one of the contexts where the payload is echoed in the
# script text needs to be escaped from
if js_context.is_executable():
return True
return False
def is_executable_html_attr_with_js_protocol(self):
"""
Handle cases like this:
<a href="javascript:do_something(PAYLOAD)">This is a link</a>
"""
if self.name not in EXECUTABLE_ATTRS:
return False
script_text = self.extract_code()
if self.value == script_text:
# We get here when the attribute value DOES NOT start with
# javascript:
return False
# Delegate the is_executable to the JavaScript parser
for js_context in get_js_context_iter(script_text, self.payload):
# At least one of the contexts where the payload is echoed in the
# script text needs to be escaped from
if js_context.is_executable():
return True
return False
def is_executable_html_attr_with_js_protocol(self):
"""
Handle cases like this:
<a href="javascript:do_something(PAYLOAD)">This is a link</a>
"""
if self.name not in EXECUTABLE_ATTRS:
return False
script_text = self.extract_code()
if self.value == script_text:
# We get here when the attribute value DOES NOT start with
# javascript:
return False
# Delegate the is_executable to the JavaScript parser
for js_context in get_js_context_iter(script_text, self.payload):
# At least one of the contexts where the payload is echoed in the
# script text needs to be escaped from
if js_context.is_executable():
return True
return False
