Preventing XSS with Data Binding. The Poc

Encoding: example Test your favourite charsets
Add a text: example: <script>alert(123)</script>
Add a href: example: java%09script:alert(123)
Add a style: example: background-image: url("javascript:alert(123)")
Add a comment: example: --><script>alert(123)</script>
Some detail about the theory and the aim of this poc here.

On early september I'll release a paper with a more complete description of this research.

The Sources
Php server side Stuff
JavaScript Bind stuff
JavaScript Parsing stuff

..and another Raw (non finished) example for mixed user html...look at the source code for better understanding.

Author Contact: stefano.dipaola at wisec.it / stefano.dipaola at mindedsecurity.com

Update: Added plaintext (awful but useful) solution for variable width encoding (Doesnt work with Opera).

Known Issues: despite of RFC, IE doesnt ignore unknown properties so using a style like : 'blah: expression((window.r==1)?":eval("r=1;alert('XSS');"))' will be executed...

Update 2: It seems the style problem can be fixed by using a first element to remove unknown style attributes and then set the auto sanitized cssText to a second element.
The workaround for the expression exploit:
 if(typeof this._bstyle == 'undefined' )
   this._bstyle = document.createElement('A');

 this._bstyle.style.cssText= cssText;

 if(typeof this._astyle == 'undefined' )
   this._astyle = document.createElement('A'); 
  
 this._astyle.style.cssText = this._bstyle.style.cssText.toString() ;
 delete this._bstyle;
 
 if(isIE && this._astyle.style["cssText"].toString().match(/url|expression/i)){
   alert("Sorry, the text contained expression or Url");
   this._astyle.style["cssText"]='';
 }

ÿþ<�p�l�a�i�n�t�e�x�t� �s�t�y�l�e�=�'�d�i�s�p�l�a�y�:�n�o�n�e�'�>� �<�p�l�a�i�n�t�e�x�t� �s�t�y�l�e�=�'�d�i�s�p�l�a�y�:�n�o�n�e�'�>� ��<�p�l�a�i�n�t�e�x�t� �s�t�y�l�e�=�'�d�i�s�p�l�a�y�:�n�o�n�e�'�>� comm| ref| style| c| search|