Δευτέρα 10 Ιανουαρίου 2022

About CVE-2021-42574 bidirectional Unicode characters

 Here is a screen shot from M2000 Editor, with Syntax highlighting for M2000, from HtmlEditor (an EditBox using Syntax highlighting for html), and from cs editor (an EditBox using Syntax highlighting for cs). As we see in cs editor the Remarks are obvious, and the statement "document.writeln('You are an admin');" is a "working" statement.

M2000 Editor and TextBox use a special routine for working with bidirectional text, which never use control codes in Unicode text. So the controls are shown as is.

This is the "BAD" code:

<html>
    <script>
        function demo() {
            let isAdmin = false;
            /*‮ } ⁦if (isAdmin)⁩ ⁦ begin admin section */
                document.writeln('You are an admin');
            /* end admin section ‮ { ⁦*/
        }
        demo();
    </script>
    <body>    
</body></html>

This is from cs editor, if we copy to clipboard and paste here.   

 <html>

    <script>
        function demo() {
            let isAdmin = false;


            /*‮ } ⁦if (isAdmin)⁩ ⁦ begin admin section */
                document.writeln('You are an admin');
            /* end admin section ‮ { ⁦*/
}
        demo();
    </script>
    <body>

</body></html>





Δεν υπάρχουν σχόλια:

Δημοσίευση σχολίου