top of page
  • Writer's pictureAdi "Adico" Cohen

Internet Explorer 'toStaticHTML' HTML Sanitizing Information Disclosure Vulnerability CVE-2011-1252

The following post describes a bypass I found to the toStaticHTML function in IE - back in 2011.



The JavaScript function toStaticHTML, which is found in Internet Explorer 8 and Internet Explorer 9 is used to sanitize

HTML fragments from dynamic and potentially malicious content.

If an attacker is able to break the filtering mechanism and pass malicious code through this function, he/she may be

able to perform HTML injection based attacks (i.e. XSS).


An attacker is able to create a specially formed CSS snippet that after passing through the toStaticHTML function will contain an expression that will trigger a JavaScript call.

The following JavaScript code will demonstrate the vulnerability (Should be a one-liner):

<script>document.write(toStaticHTML(" <style>div{color:rgb(0,0,0)&a=expression(alert(1))}</style> "))</script>

The reason this code bypass the filter engine is due to two reasons:

  1. The filtering engine allows the string "expression(" to exists in "non-dangerous" locations within the CSS string.

  2. The filtering engine encodes characters such as ( & , < , > , etc…) to their HTML encoded entities (&amp; , &gt; , &lt; , etc…).

When combining these two facts the attacker is able to use the semi-colon of the HTML encoded entities

representation in order to terminate a CSS sentence and move to a new one without having the filtering engine

realize it, thus breaking the state machine and bypassing the filter.

The output of the toStaticHTML will look like:


As we all know, '=' is equivalent to ':' in CSS and therefor evaluates correctly.


Every application that relies on the function toStaticHTML to sanitize user supplied data is now probably

vulnerable to XSS.



An old post from 2011. Originally published under Watchfire's (IBM) Blog

Discovered by - Adi Cohen, IBM Application Security Research

30 views0 comments

Recent Posts

See All

XSS in Gmail's Amp4Email

Background AMP is most commonly used as a framework to develop fast-loading content on the web. One of AMP's projects, AMP4Email has been adopted in recent years by many of the leading mail services a

JSON-based XSS exploitation

The following post describes a new method to exploit injections in JSON file - Back in 2012 Introduction: In the world of Web2.0 and mash web applications, security researchers come across more and mo

Microsoft Anti-XSS Library Bypass (MS12-007)

The following post describes the second bypass I found to the toStaticHTML function in IE - back in 2012. Introduction: The Microsoft Anti-XSS Library is used in ASP .NET applications to protect again


bottom of page