Escaping is tricky, as demonstrated by a recent Gmail bug found by +Roman Shafigullin
First, what are the escaping rules in HTML? Surely you already know that < > and & have to be escaped into <, > and &. How about URLs? The browser will use percent decoding (e.g. %20 for space) to parse the URL.
It means that:
is URL percent decoded to:
This is obviously bad. Instead, we want to apply proper escaping, in order:
2) URL percent encoding
3) HTML escaping
This bug was present in Gmail mobile UI at https://mail.google.com/mail/mu
- yes, there are multiple UIs for some products!
As seen on +Roman Shafigullin
screenshot, the bug was triggered by sending an email with a bogus mailto:
Gmail mobile parses the mailto and renders the link as:
It looks fine, however as we discussed earlier the first thing the browser does is URL decoding so %27 is decoded into a single quote and as a result the alert breaks out of the string parameter:
The browser will execute alert(1) when the link is clicked. Oops!