
The Grave Accent and XSS - davidmurdoch
https://davidmurdoch.com/2017/09/02/the-grave-accent-and-xss/
======
andybak
Wasn't adding a new character to browsers that needs escaping a grave (heh)
error of judgement?

There's a lot of unmaintained client side code out there.

~~~
TazeTSchnitzel
Escaping <>"' properly is still enough. Without them you can't create the
<script> needed to use a backtick.

~~~
extrapickles
You need to escape =. Otherwise if someone does something like:

document.write("<a class=" \+ str + " href='foo'>xss</a>");

The attacker can set str to "foo onclick=alert(1)".

~~~
jwilk
You should put quotes around the attribute value.

Then you won't need to escape =.

~~~
extrapickles
The issue is when a developer forgets to do so. No reason to not escape it.

------
limeblack
On the topic of XSS it seems funny that https makes you think something is
secure when it is often not with XSS. I remember finding an XSS in our high
school system. Even though the page was https the XSS allowed you to embed
other https sites which let me do malicious things without anyone knowing.

~~~
lucb1e
Assuming a website is secure only because it has a padlock, is like assuming a
room is secure because it has a padlock. The room might have windows, back
doors, or the hinges might be on the outside. Https (reasonably) guarantees
confidentiality and integrity of the connection to the server, nothing more
and nothing less.

~~~
throwaway613834
> Https (reasonably) guarantees confidentiality and integrity of the
> connection to the server, nothing more and nothing less.

Nah, this is pretty wrong. It would be pretty useless (if not dangerous) if
that were all it did. The most important thing it establishes is the server's
authenticity, i.e. you don't want a tamper-proof and confidential connecting
with the wrong server! And moreover, once you can guarantee authenticity, the
rest are secondary since they're easy to subsequently establish via key
exchange and hashing.

~~~
lucb1e
Oh, yes, authenticity. You're right, that's a third feature!

Still, it doesn't say anything about whether the website left the metaphorical
hinges on the outside (i.e. has other security issues, such as XSS).

~~~
poizan42
Can you really ensure confidentiality without authenticity though? Seems like
you inherently are susceptible to MITM attacks without authenticity. Are there
examples of the former without the latter?

~~~
lucb1e
With guaranteed confidentiality, you know it's confidential between you and
the other party. Who that other party is however... so yeah, I see your point.
I'm not sure if there's really a case for keeping these two separate, but
that's how it's currently taught in schools (at least in the Netherlands).

------
131hn
I do not think this symbol is nor used (in addition with a letter), nor ever
called anything but "backtick". it's not an "accent grave" (even if it might
be used as it), but a revert appstrophe - backtick or backquote.

~~~
Symbiote
The key marked ` is often set as a "dead key" on European keyboard layouts --
typically the layouts where the accent isn't commonly used, but will be needed
for typing people and place names, or the occasional foreign word.

With a Danish Mac layout, to type ` I press it then press space. To type è, ì
etc, I press `, then press the vowel. Similarly I can use the keys marked ¨ ^
and ´. (The Danish letters æ, ø, å have their own keys, since they are used
very frequently.)

So, I would never call it "backtick", since it _is_ a grave accent.

~~~
Zecc
It pisses me off to no end when software uses keyboard shortcuts like Ctrl+`
or even just ~. These are simply unusable with my keyboard.

~~~
kps
It pisses me off to no end when software uses keyboard shortcuts like Ctrl+
_anything_ , unless it's using ASCII control characters (e.g. vi, emacs).
Every *nix GUI toolkit knew this until the year-of-desktop-Linux crowd
insisted on slavishly imitating every Windows mistake.

