Hope this is the correct place
I stumbeled accross something strange:
I encoded a javascript to base64 and saved it in a struct with I added via the webserver to the meta tag of a webpage. like this someStrukt:=Strukt{"0,url="data:text/html;base64,PHNjcmlwdD4gYWxlcnQoInBhd25lZCIpOyAgd2luZG93Lm9wZW4oImh0dHA6Ly9nb29nbGUuY29tIik7PC9zY3JpcHQ+"
And the webpage part: <META HTTP-EQUIV="refresh" CONTENT={{.M}}>
Which I found strange is that it is executed. And some Browsers behaved also
in a very strange way.When doing this IE is reloading the page over and over like crazy and Chrome/Firefox are relinking me to a Strange URL after the script is
executed, like the script is a url.
The only thing i found about this issue is
https://tools.ietf.org/html/rfc2397
But shouldnt these be escaped too if u have tags inside the coded data?
Also is it even wanted that scripts are in the meta? I dont see a real usagage for that
Base64 data is valid as an HTML attribute value, so it doesn’t need escaping to be syntactically valid. The template system isn’t going to decode all base64 data to see what it contains, so it won’t notice that there happen to be HTML tags encoded inside.
In general, you shouldn’t allow user-supplied data in http refresh URIs.
yes i knew that it is legit to use base64 else the browsers wount not execute the code. but what I find strange is that it is not escaped because it is a “standard” and a pure string is escaped by default (unless you use templates). Since you could do escape the escape by this (worst case) or am I seeing that to hard?
Also from the Webdevelopment side I cannot understand why it should be legit at all to invoke script on the meta tag. Wasnt the pure purpose of this tag to send metadata which is shown in Thumbnails and Search Engines? Hope i am not getting too offtopic here.