Failure to Sanitize Invalid Characters in Identifiers in Web Pages
Weakness ID: 86 (Weakness Variant)Status: Draft
+ Description

Description Summary

The software does not strip out invalid characters in the middle of tag names, URI schemes, and other identifiers, which are still rendered by some web browsers that ignore the characters. Some commonly used characters include null, CRLF, and other non-standard whitespace.
+ Time of Introduction
  • Implementation
+ Applicable Platforms

Languages

All

+ Observed Examples
ReferenceDescription
CVE-2004-0595XSS filter doesn't filter null characters before looking for dangerous tags, which are ignored by web browsers. Multiple Interpretation Error (MIE) and validate-before-cleanse.
+ Potential Mitigations

see the vulnerability category "Cross-site scripting (XSS)"

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness BaseWeakness Base79Failure to Preserve Web Page Structure ('Cross-site Scripting')
Development Concepts (primary)699
Research Concepts (primary)1000
ChildOfWeakness BaseWeakness Base436Interpretation Conflict
Research Concepts1000
PeerOfWeakness BaseWeakness Base184Incomplete Blacklist
Research Concepts1000
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERInvalid Characters in Identifiers
+ Related Attack Patterns
CAPEC-IDAttack Pattern Name
(CAPEC Version: 1.4)
73User-Controlled Filename
85Client Network Footprinting (using AJAX/XSS)
86Embedding Script (XSS ) in HTTP Headers
32Embedding Scripts in HTTP Query Strings
18Embedding Scripts in Nonscript Elements
63Simple Script Injection
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Description, Name, Relationships, Other Notes, Taxonomy Mappings
2009-10-29CWE Content TeamMITREInternal
updated Description, Other Notes
Previous Entry Names
Change DatePrevious Entry Name
2008-09-09Invalid Characters in Identifiers