12774 – S60 browser doesn't properly parse HTML comments, which allows remote attackers to conduct cross-site scripting (XSS) attacks

Bug 12774 - S60 browser doesn't properly parse HTML comments, which allows remote attackers to conduct cross-site scripting (XSS) attacks

Summary: S60 browser doesn't properly parse HTML comments, which allows remote attacke...

Status:	CLOSED INVALID

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	DOM (show other bugs)
Version:	420+
Hardware:	S60 Hardware S60 3rd edition

Importance:	P2 Normal
Assignee:	Nobody

URL:	http://nvd.nist.gov/nvd.cfm?cvename=C...
Keywords:

Depends on:
Blocks:

Reported:	2007-02-14 13:18 PST by Krishna
Modified:	2011-03-21 11:53 PDT (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Krishna 2007-02-14 13:18:33 PST

2.2.2007 Ilhan Gurel: This originally comes from the following reported vulnerability:

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0478

The link also has information about the proof of concept data.

Description of the original problem: Apple Safari does not properly parse HTML comments, which allows remote attackers to conduct cross-site scripting (XSS) attacks and bypass some XSS protection schemes by embedding certain HTML tags within an HTML comment.

It has been acklowledged that  this is also valid issue for S60 browser as it uses same code.

Comment 1 Robert Blaut 2008-06-11 00:14:30 PDT

I think the S60 platform bug should be closed as other S60 bugs.

Comment 2 Joel Parks 2011-03-21 11:53:11 PDT

re-purposing InTSW keyword for use by QtWebkit team