26938 2009-07-02 15:49:27 -0700 XSSAuditor should accommodate common, slight transformations. 2009-07-22 16:28:48 -0700 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) All All RESOLVED FIXED XSSAuditor P2 Normal --- 1 matthew.murphy webkit-unassigned abarth dbates mjs oldest_to_newest 129604 0 matthew.murphy 2009-07-02 15:49:27 -0700 The reflective XSS filter landed in Bug #26199 is too strict in evaluating whether inputs were reflected back into the output. If, for example, the server-side code does the equivalent of a PHP addslashes() on the input, then the following input will dodge the filter while still executing script: <script>var bogus=/\/; alert(document.URL);</script> The backslash will be doubled, resulting in an output that's subtly different than its input. IE's filter accounts for such subtle differences between input and output using regular expressions, and perhaps we should do the same. 130389 1 dbates 2009-07-08 00:36:44 -0700 Right. We are aware of this issue and it is among our list of improvements. (In reply to comment #0) > The reflective XSS filter landed in Bug #26199 is too strict in evaluating > whether inputs were reflected back into the output. If, for example, the > server-side code does the equivalent of a PHP addslashes() on the input, then > the following input will dodge the filter while still executing script: > > <script>var bogus=/\/; alert(document.URL);</script> > > The backslash will be doubled, resulting in an output that's subtly different > than its input. > > IE's filter accounts for such subtle differences between input and output using > regular expressions, and perhaps we should do the same. 133980 2 abarth 2009-07-22 16:28:48 -0700 Dan fixed this in http://trac.webkit.org/changeset/46250