Alan Hogan

Things Alan Hogan feels like sharing.

These are my comments on music, movies, books, web development and programming, Mac tips, and life in general. Enjoy!

Sun Feb 27

Is this ever an attack vector?

Consider this scenario.

  1. A trusted service provides a way for users to enter content which is then made available in a certain format to other users, perhaps via AJAX (XmlHttpRequest). The service, naturally, escapes the users’ content to prevent XSS attacks or other “hacks.”

  2. A user enters content that looks innocent in the intended format (say, HTML) but is perhaps malicious if interpreted in another format (say, as a JSON object).

  3. When the browser (or perhaps a JS framework) loads this maliciously crafted content, it heuristically determines that the content is “not” (say) HTML but “is” rather (say) JSON, and treats its that way.

Is this ever a plausible concern? Under what circumstances?