3

For example the JSON callback we get on a google autosearch:

window.google.td && window.google.td('tljp1322487273527014', 4,{e:"HY7TTtmRFZPe8QPCvf30Dw",c:1,u:"http://www.google.co.uk/s?hl\x3den\x26cp\x3d5\x26gs_id\x3d17\x26xhr\x3dt\x26q\x3dowasp\x26pf\x3dp\x26sclient\x3dpsy-ab\x26source\x3dhp\x26pbx\x3d1\x26oq\x3d\x26aq\x3d\x26aqi\x3d\x26aql\x3d\x26gs_sm\x3d\x26gs_upl\x3d\x26bav\x3don.2,or.r_gc.r_pw.,cf.osb\x26fp\x3dbd20912ccdf288ab\x26biw\x3d387\x26bih\x3d362\x26tch\x3d4\x26ech\x3d15\x26psi\x3d5o3TTqCqCsnD0QXA7sUI.1322487273527.1\x26wrapid\x3dtljp1322487273527014",d:"[\x22owasp\x22,[[\x22owasp\x22,0,\x220\x22],[\x22owasp\\u003Cb\\u003E top 10\\u003C\\/b\\u003E\x22,0,\x221\x22],[\x22owasp\\u003Cb\\u003E top 10 2011\\u003C\\/b\\u003E\x22,0,\x222\x22],[\x22owasp\\u003Cb\\u003E zap\\u003C\\/b\\u003E\x22,0,\x223\x22]],{\x22j\x22:\x2217\x22}]"});window.google.td && window.google.td('tljp1322487273527014', 4,{e:"HY7TTtmRFZPe8QPCvf30Dw",c:0,u:"http://www.google.co.uk/s?hl\x3den\x26cp\x3d5\x26gs_id\x3d17\x26xhr\x3dt\x26q\x3dowasp\x26pf\x3dp\x26sclient\x3dpsy-ab\x26source\x3dhp\x26pbx\x3d1\x26oq\x3d\x26aq\x3d\x26aqi\x3d\x26aql\x3d\x26gs_sm\x3d\x26gs_upl\x3d\x26bav\x3don.2,or.r_gc.r_pw.,cf.osb\x26fp\x3dbd20912ccdf288ab\x26biw\x3d387\x26bih\x3d362\x26tch\x3d4\x26ech\x3d15\x26psi\x3d5o3TTqCqCsnD0QXA7sUI.1322487273527.1\x26wrapid\x3dtljp1322487273527014",d:""});

more specifically, how to go from:

"\x22te\\u003Cb\\u003Esco\\u003C\\/b\\u003E\x22,0,\x220\x22"

to 

"te\u003Cb\u003Esco\u003C\/b\u003E",0,"0"

to

"te<b>sco</b>"

Note that the System.Web UrlDecode and HtmlDecode are not able to handle this.

Interestingly, the AntiXss almost does the reverse, since it can go from:

"te<b>sco</b>"

To

te\00003Cb\00003Esco\00003C\00002Fb\00003E

Security angle

These decodings have a number of security implications since they will be rendered by the browser. For example if in Javascript/jQuery we have a variable with the payload

var xss = "te\u003Cscript\u003Ealert\u002812\u0029\u003C\u002Fscript\u003E"

will be triggered if assigned to a div's html

$("#header").html(xss)
Improve this question
1
  • 1
    Are we talking about C# or JavaScript here? Commented Nov 28, 2011 at 14:04

2 Answers 2

Reset to default
4 
\x....

WTF? \u - dat's okey. According to previous answer:

string str = @"P\u003e\u003cp\u003e Notes \u003cstrong\u003e Разработчик: \u003c/STRONG\u003e \u003cbr /\u003eЕсли игра Безразлично";
Regex regex = new Regex(@"\\u([0-9a-z]{4})",RegexOptions.IgnoreCase);
str = regex.Replace(str, match => char.ConvertFromUtf32(Int32.Parse(match.Groups[1].Value , System.Globalization.NumberStyles.HexNumber)));
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

It appears that "\x22te\\u003Cb\\u003Esco\\u003C\\/b\\u003E\x22,0,\x220\x22" is hex encoded, there is nothing available to decode this string out of the box, however the following should work:

var regex = new Regex(@"\\x([a-fA-F0-9]{2})");
var replaced = regex.Replace(input, match => char.ConvertFromUtf32(Int32.Parse(match.Groups[1].Value, System.Globalization.NumberStyles.HexNumber)));
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.