CWE
Home > CWE List > CWE- Individual Dictionary Definition (1.1)  
Search by ID:

CWE-86: Failure to Sanitize Invalid Characters in Identifiers in Web Pages

Individual Definition in a New Window
Failure to Sanitize Invalid Characters in Identifiers in Web Pages
Status: Draft
Weakness ID: 86 (Weakness Variant)
Description
Summary

The software does not strip out invalid characters in the middle of tag names, URI schemes, and other identifiers, which are still rendered by some web browsers that ignore the characters.

Potential Mitigations

see the vulnerability category "Cross-site scripting (XSS)"

Observed Examples
ReferenceDescription
XSS filter doesn't filter null characters before looking for dangerous tags, which are ignored by web browsers. Multiple Interpretation Error (MIE) and validate-before-cleanse.
Other Notes

Commonly used characters include null, CRLF, and other non-standard whitespace.

Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness BaseWeakness BaseWeakness Base79Failure to Sanitize Directives in a Web Page (aka 'Cross-site scripting' (XSS))
Development Concepts (primary)699
Research Concepts (primary)1000
PeerOfWeakness BaseWeakness BaseWeakness Base184Incomplete Blacklist
Research Concepts1000
ChildOfWeakness BaseWeakness BaseWeakness Base436Interpretation Conflict
Research Concepts1000
Taxonomy Mappings
Mapped Taxonomy NameMapped Node Name
PLOVERInvalid Characters in Identifiers
Applicable Platforms
Languages
All
Time of Introduction
* Implementation
Related Attack Patterns
CAPEC-ID(CAPEC Version 1.1)Attack Pattern Name
63Simple Script Injection
18Embedding Scripts in Nonscript Elements
73User-Controlled Filename
85Client Network Footprinting (using AJAX/XSS)
32Embedding Scripts in HTTP Query Strings
86Embedding Script (XSS ) in HTTP Headers
Content History
Submissions
PLOVER. (Externally Mined)
Modifications
Eric Dalci. Cigital. 2008-07-01. (External)
updated Time_of_Introduction
CWE Content Team. MITRE. 2008-09-08. (Internal)
updated Description, Name, Relationships, Other_Notes, Taxonomy_Mappings
Previous Entry Names
* Invalid Characters in Identifiers (changed 2008-09-09)
Page Last Updated: November 24, 2008