Microsoft Internet Explorer toStaticHTML Information Disclosure

`Name: Microsoft Internet Explorer 'toStaticHTML' HTML Sanitizing Information Disclosure Vulnerability  
Author: Adi Cohen of IBM Rational Application Security ([email protected])  
Date: June 14, 2011  
Risk: Medium  
CVE: CVE-2011-1252  
  
  
Introduction  
-------------  
The JavaScript function toStaticHTML, which is found in Internet Explorer 8 and Internet Explorer 9, is used to sanitize HTML fragments from dynamic and potentially malicious content.  
If an attacker can manage to pass malicious code through this function, s/he may be able to perform HTML injection based attacks (such as XSS).  
  
Vulnerability  
-------------  
An attacker can create a specially formed CSS that after passing through the toStaticHTML function will contain an expression that will trigger a JavaScript call.  
  
The following JavaScript code demonstrates the vulnerability:  
  
<script>document.write(toStaticHTML("<style>div{color:rgb(0,0,0)&a=expression(alert(1))}</style>Adi Cohen"))</script>   
  
This code bypasses the filter engine by taking advantage of the following facts:  
1. The filtering engine allows the string "expression(" to exist in "non-dangerous" locations within the CSS  
2. The filtering engine changes special characters (such as & , < , >) to their HTML encoded equivalents (& , > , <), which all end with a semicolon  
  
An attacker can use the semi-colon of the HTML encoded characters to terminate a CSS sentence and start a new one without the filtering engine being aware of it, thereby breaking the state machine.  
  
Impact  
------  
Any application that relies on the function toStaticHTML to sanitize user supplied data is probably vulnerable to XSS.  
  
References  
----------  
http://www.securityfocus.com/bid/48199  
http://support.avaya.com/css/P8/documents/100141412  
http://www.microsoft.com/technet/security/Bulletin/MS11-050.mspx  
`