Ayende @ Rahien

My name is Oren Eini
Founder of Hibernating Rhinos LTD and RavenDB.
You can reach me by phone or email:


+972 52-548-6969

, @ Q c

Posts: 6,007 | Comments: 44,760

filter by tags archive

Resolving cross site scripting issues.

time to read 1 min | 198 words

I got a bug report about the following in the admin UI for RavenDB.


As you can imagine, this is certainly something that we would like to avoid, but there is a problem. How the hell do you find the problem?

I mean, obviously we are encoding the value when we present it to the user, since I can see it on the UI. But it is still running, so I am doing something bad here. But I don’t feel like traversing through a mountain of JavaScript to find out exactly where this is happening. Luckily, we don’t have to, we can use the XSS itself to help it localize it:


And given that, we can get directly to the actual fault:


And fixing that is a snap.



Excuse my incompetence but can you elaborate the connection between the yellowish debbuger variable and the javascript line of code?

Mike Scott


Do you mean the tooltip that displays the value of the children variable? Because the value isn't HTML encoded, any javascript will be inserted straight into that <span as is and thus will be executed on the browser - in this case a debugger breakpoint and then a call to the alert() function.

Mike Scott

Oren, sweet use of the debugger breakpoint!

I also wanted to suggest chaining the calls to append() in your jquery to prevent doing the $(childDiv) lookup multiple times, for example.

Ken Egozi

you should look into some kind of string templating instead of the concatenations

EJS is a great pick. it gives you a syntax similar to php/asp/ERB that is extremely familiar.

so you'd be creating the markup in using a view, then transferring the markup built to jQuery to be inserted to the DOM


@Mike: no thats not what I mean,

I mean the other yellow-marked word 'debugger', how does that bring him to the line of javascript code?


Nice technique. Are 100% percent sure that the "key" is already encoded as well? At the very least it can contain umlauts which have to be html encoded (or you might find yourself debugging a much harder problem a year in the future).


@Marcus: At least in Firebug when the javascript 'debugger;' statement is encountered; this simulates a breakpoint.


@Andrew: thanks thats explains it

He seems to be using Chrome though, according to the first image,

maybe Chrome has that functionality too.

Ayende Rahien


That is the same behavior in all browsers.

Felipe Fujiy

I didn´t understand why that string is show in UI and executing too.


Oops...my bad Oren.

Steve Gentile

As above that JsonDiv is getting wrapped twice

It was recommended to me to use $jsonDiv as a variable name to make it clear that it was already a wrapped jQuery object


Fixing just one instance of a problem is a sin You definitely have more problems like that and one alone is enough to hijack another user's credentials.


Or... you could just encode everything? I'm not sure what this is all about.

Michael Fever

Not all browsers show it the same way, but they will direct you to the line # of the problem. Chrome has the best devtools .. worth checking out.

Comment preview

Comments have been closed on this topic.


No future posts left, oh my!


  1. Speaking (3):
    23 Sep 2015 - Build Stuff 2015 (Lithuania & Ukraine), Nov 18 - 24
  2. Production postmortem (11):
    22 Sep 2015 - The case of the Unicode Poo
  3. Technical observations from my wife (2):
    15 Sep 2015 - Disk speeds
  4. Find the bug (5):
    11 Sep 2015 - The concurrent memory buster
  5. Buffer allocation strategies (3):
    09 Sep 2015 - Bad usage patterns
View all series



Main feed Feed Stats
Comments feed   Comments Feed Stats