27405 2009-07-17 22:52:46 -0700 [XSSAuditor] URL encoded ampersand can be used to bypass XSSAuditor 2009-07-17 23:20:25 -0700 1 1 1 Unclassified WebKit WebKit Misc. 528+ (Nightly build) All All RESOLVED FIXED http://webblaze.org/dbates/xsstest.php?q=<a href='about:blank' onclick=alert('%26q')>Test</a> XSSAuditor P2 Normal --- 1 dbates webkit-unassigned abarth sam oldest_to_newest 132852 0 dbates 2009-07-17 22:52:46 -0700 When decoding HTML entities (XSSAuditor::decodeHTMLEntities), the ampersand is removed and the supposed entity is consumed. If the entity turns out to be invalid, such as an unknown named entity, then a null-character is inserted into the decoded result, which creates a discrepancy between the script code and the HTTP parameters. Consider: Inline Event Handler: http://webblaze.org/dbates/xsstest.php?q=%3Ca%20href='http://www.webblaze.org'%20onclick='alert(/%26XSS/)'%3EClick%3C/a%3E JavaScript Link: http://webblaze.org/dbates/xsstest.php?q=%3Ca%20href=javascript:alert(/%26XSS/)%3EClick%3C/a%3E 132854 1 33007 dbates 2009-07-17 22:56:28 -0700 Created attachment 33007 Patch with tests 132858 2 33007 abarth 2009-07-17 23:12:18 -0700 Comment on attachment 33007 Patch with tests Yes. 132859 3 abarth 2009-07-17 23:20:25 -0700 Committing to http://svn.webkit.org/repository/webkit/trunk ... M LayoutTests/ChangeLog A LayoutTests/http/tests/security/xssAuditor/javascript-link-ampersand-expected.txt A LayoutTests/http/tests/security/xssAuditor/javascript-link-ampersand.html A LayoutTests/http/tests/security/xssAuditor/link-onclick-ampersand-expected.txt A LayoutTests/http/tests/security/xssAuditor/link-onclick-ampersand.html M WebCore/ChangeLog M WebCore/page/XSSAuditor.cpp Committed r46086 M WebCore/ChangeLog M WebCore/page/XSSAuditor.cpp A LayoutTests/http/tests/security/xssAuditor/link-onclick-ampersand-expected.txt A LayoutTests/http/tests/security/xssAuditor/link-onclick-ampersand.html A LayoutTests/http/tests/security/xssAuditor/javascript-link-ampersand-expected.txt A LayoutTests/http/tests/security/xssAuditor/javascript-link-ampersand.html M LayoutTests/ChangeLog r46086 = 209a4aa2f77640ff10c4bb3e541c94cc9ee1a53d (trunk) No changes between current HEAD and refs/remotes/trunk Resetting to the latest refs/remotes/trunk http://trac.webkit.org/changeset/46086 33007 2009-07-17 22:56:28 -0700 2009-07-17 23:12:18 -0700 Patch with tests Bug27405_1.patch text/plain 5025 dbates SW5kZXg6IFdlYkNvcmUvQ2hhbmdlTG9nCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFdlYkNvcmUvQ2hhbmdlTG9n CShyZXZpc2lvbiA0NjA4MikKKysrIFdlYkNvcmUvQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBA IC0xLDMgKzEsMTkgQEAKKzIwMDktMDctMTcgIERhbmllbCBCYXRlcyAgPGRiYXRlc0BpbnR1ZGF0 YS5jb20+CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisgICAgICAgIAor ICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9Mjc0MDUKKwor ICAgICAgICBGaXhlcyBhbiBpc3N1ZSB3aGVuIGRlY29kaW5nIEhUTUwgZW50aXRpZXMgd2l0aCBh biB1bmtub3duIG5hbWVkIGVudGl0eSB0aGF0IAorICAgICAgICBjYXVzZWQgbnVsbC1jaGFyYWN0 ZXJzIHRvIGJlIGluc2VydGVkIGludG8gdGhlIGRlY29kZWQgcmVzdWx0LgorCisgICAgICAgIFRl c3Q6IGh0dHAvdGVzdHMvc2VjdXJpdHkveHNzQXVkaXRvci9saW5rLW9uY2xpY2stYW1wZXJzYW5k Lmh0bWwKKyAgICAgICAgICAgICAgaHR0cC90ZXN0cy9zZWN1cml0eS94c3NBdWRpdG9yL2phdmFz Y3JpcHQtbGluay1hbXBlcnNhbmQuaHRtbAorCisgICAgICAgICogcGFnZS9YU1NBdWRpdG9yLmNw cDoKKyAgICAgICAgKFdlYkNvcmU6OlhTU0F1ZGl0b3I6OmRlY29kZUhUTUxFbnRpdGllcyk6IEFk ZGVkIGNoZWNrIHRvIGNvbmRpdGlvbmFsIHNvIHRoYXQKKyAgICAgICAgbm9uLXplcm8gZW50aXR5 IHZhbHVlcyBhcmUgbm90IGluc2VydGVkIGR1cmluZyBkZWNvZGluZyBwcm9jZXNzLgorCiAyMDA5 LTA3LTE3ICBKYW4gTWljaGFlbCBBbG9uem8gIDxqbWFsb256b0B3ZWJraXQub3JnPgogCiAgICAg ICAgIDxodHRwOi8vd2Via2l0Lm9yZy9iLzE4MzYzPiBbR1RLXSBDb21ibyBib3hlcyBjYW5ub3Qg YmUgb3BlbmVkIHByZXNzaW5nIHNwYWNlCkluZGV4OiBXZWJDb3JlL3BhZ2UvWFNTQXVkaXRvci5j cHAKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PQotLS0gV2ViQ29yZS9wYWdlL1hTU0F1ZGl0b3IuY3BwCShyZXZpc2lvbiA0 NTc4OCkKKysrIFdlYkNvcmUvcGFnZS9YU1NBdWRpdG9yLmNwcAkod29ya2luZyBjb3B5KQpAQCAt MTkzLDcgKzE5Myw3IEBAIFN0cmluZyBYU1NBdWRpdG9yOjpkZWNvZGVIVE1MRW50aXRpZXMoY28K ICAgICAgICAgaWYgKGVudGl0eSA+IDB4RkZGRikgewogICAgICAgICAgICAgcmVzdWx0LmFwcGVu ZChVMTZfTEVBRChlbnRpdHkpKTsKICAgICAgICAgICAgIHJlc3VsdC5hcHBlbmQoVTE2X1RSQUlM KGVudGl0eSkpOwotICAgICAgICB9IGVsc2UgaWYgKCFsZWF2ZVVuZGVjb2RhYmxlSFRNTEVudGl0 aWVzVW50b3VjaGVkIHx8IGVudGl0eSAhPSAweEZGRkQpeworICAgICAgICB9IGVsc2UgaWYgKGVu dGl0eSAmJiAoIWxlYXZlVW5kZWNvZGFibGVIVE1MRW50aXRpZXNVbnRvdWNoZWQgfHwgZW50aXR5 ICE9IDB4RkZGRCkpewogICAgICAgICAgICAgcmVzdWx0LmFwcGVuZChlbnRpdHkpOwogICAgICAg ICB9IGVsc2UgewogICAgICAgICAgICAgcmVzdWx0LmFwcGVuZCgnJicpOwpJbmRleDogTGF5b3V0 VGVzdHMvQ2hhbmdlTG9nCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIExheW91dFRlc3RzL0NoYW5nZUxvZwkocmV2 aXNpb24gNDYwODIpCisrKyBMYXlvdXRUZXN0cy9DaGFuZ2VMb2cJKHdvcmtpbmcgY29weSkKQEAg LTEsMyArMSwxNyBAQAorMjAwOS0wNy0xNyAgRGFuaWVsIEJhdGVzICA8ZGJhdGVzQGludHVkYXRh LmNvbT4KKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKyAgICAgICAgCisg ICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0yNzQwNQorCisg ICAgICAgIFRlc3RzIHRoYXQgSFRNTCBlbnRpdGllcyB0aGF0IGNvbnRhaW4gYW4gaW52YWxpZCBl bnRpdHksIHN1Y2ggYXMgYW4gCisgICAgICAgIHVua25vd24gbmFtZWQgZW50aXR5LCBhcmUgcHJv cGVybHkgaGFuZGxlZC4KKworICAgICAgICAqIGh0dHAvdGVzdHMvc2VjdXJpdHkveHNzQXVkaXRv ci9saW5rLW9uY2xpY2stYW1wZXJzYW5kLWV4cGVjdGVkLnR4dDogQWRkZWQuCisgICAgICAgICog aHR0cC90ZXN0cy9zZWN1cml0eS94c3NBdWRpdG9yL2xpbmstb25jbGljay1hbXBlcnNhbmQuaHRt bDogQWRkZWQuCisgICAgICAgICogaHR0cC90ZXN0cy9zZWN1cml0eS94c3NBdWRpdG9yL2phdmFz Y3JpcHQtbGluay1hbXBlcnNhbmQtZXhwZWN0ZWQudHh0OiBBZGRlZC4KKyAgICAgICAgKiBodHRw L3Rlc3RzL3NlY3VyaXR5L3hzc0F1ZGl0b3IvamF2YXNjcmlwdC1saW5rLWFtcGVyc2FuZC5odG1s OiBBZGRlZC4KKwogMjAwOS0wNy0xNyAgSmVucyBBbGZrZSAgPHNuZWpAY2hyb21pdW0ub3JnPgog CiAgICAgICAgIFJldmlld2VkIGJ5IERpbWl0cmkgR2xhemtvdi4KSW5kZXg6IExheW91dFRlc3Rz L2h0dHAvdGVzdHMvc2VjdXJpdHkveHNzQXVkaXRvci9qYXZhc2NyaXB0LWxpbmstYW1wZXJzYW5k LWV4cGVjdGVkLnR4dAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBMYXlvdXRUZXN0cy9odHRwL3Rlc3RzL3NlY3Vy aXR5L3hzc0F1ZGl0b3IvamF2YXNjcmlwdC1saW5rLWFtcGVyc2FuZC1leHBlY3RlZC50eHQJKHJl dmlzaW9uIDApCisrKyBMYXlvdXRUZXN0cy9odHRwL3Rlc3RzL3NlY3VyaXR5L3hzc0F1ZGl0b3Iv amF2YXNjcmlwdC1saW5rLWFtcGVyc2FuZC1leHBlY3RlZC50eHQJKHJldmlzaW9uIDApCkBAIC0w LDAgKzEsMyBAQAorQ09OU09MRSBNRVNTQUdFOiBsaW5lIDE6IFJlZnVzZWQgdG8gZXhlY3V0ZSBh IEphdmFTY3JpcHQgc2NyaXB0LiBTb3VyY2UgY29kZSBvZiBzY3JpcHQgZm91bmQgd2l0aGluIHJl cXVlc3QuCisKKwpJbmRleDogTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9zZWN1cml0eS94c3NBdWRp dG9yL2phdmFzY3JpcHQtbGluay1hbXBlcnNhbmQuaHRtbAo9PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBMYXlvdXRU ZXN0cy9odHRwL3Rlc3RzL3NlY3VyaXR5L3hzc0F1ZGl0b3IvamF2YXNjcmlwdC1saW5rLWFtcGVy c2FuZC5odG1sCShyZXZpc2lvbiAwKQorKysgTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9zZWN1cml0 eS94c3NBdWRpdG9yL2phdmFzY3JpcHQtbGluay1hbXBlcnNhbmQuaHRtbAkocmV2aXNpb24gMCkK QEAgLTAsMCArMSwxNiBAQAorPCFET0NUWVBFIGh0bWw+Cis8aHRtbD4KKzxoZWFkPgorPHNjcmlw dD4KK2lmICh3aW5kb3cubGF5b3V0VGVzdENvbnRyb2xsZXIpIHsKKyAgICBsYXlvdXRUZXN0Q29u dHJvbGxlci5kdW1wQXNUZXh0KCk7CisgICAgbGF5b3V0VGVzdENvbnRyb2xsZXIud2FpdFVudGls RG9uZSgpOworICAgIGxheW91dFRlc3RDb250cm9sbGVyLnNldFhTU0F1ZGl0b3JFbmFibGVkKHRy dWUpOworfQorPC9zY3JpcHQ+Cis8L2hlYWQ+Cis8Ym9keT4KKzxpZnJhbWUgc3JjPSdodHRwOi8v bG9jYWxob3N0OjgwMDAvc2VjdXJpdHkveHNzQXVkaXRvci9yZXNvdXJjZXMvZWNoby1pbnRlcnRh Zy1jbGljay1hbmQtbm90aWZ5LnBsP2VsbWlkPWFuY2hvckxpbmsmcT0lM0NhK2lkJTNEYW5jaG9y TGluaytocmVmJTNEamF2YXNjcmlwdCUzQWFsZXJ0JTI4LyUyNlhTUy8lMjklM0V0ZXN0JTNDL2El M0UnPgorPC9pZnJhbWU+Cis8L2JvZHk+Cis8L2h0bWw+CkluZGV4OiBMYXlvdXRUZXN0cy9odHRw L3Rlc3RzL3NlY3VyaXR5L3hzc0F1ZGl0b3IvbGluay1vbmNsaWNrLWFtcGVyc2FuZC1leHBlY3Rl ZC50eHQKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PQotLS0gTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9zZWN1cml0eS94c3NB dWRpdG9yL2xpbmstb25jbGljay1hbXBlcnNhbmQtZXhwZWN0ZWQudHh0CShyZXZpc2lvbiAwKQor KysgTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9zZWN1cml0eS94c3NBdWRpdG9yL2xpbmstb25jbGlj ay1hbXBlcnNhbmQtZXhwZWN0ZWQudHh0CShyZXZpc2lvbiAwKQpAQCAtMCwwICsxLDMgQEAKK0NP TlNPTEUgTUVTU0FHRTogbGluZSAxOiBSZWZ1c2VkIHRvIGV4ZWN1dGUgYSBKYXZhU2NyaXB0IHNj cmlwdC4gU291cmNlIGNvZGUgb2Ygc2NyaXB0IGZvdW5kIHdpdGhpbiByZXF1ZXN0LgorCisKSW5k ZXg6IExheW91dFRlc3RzL2h0dHAvdGVzdHMvc2VjdXJpdHkveHNzQXVkaXRvci9saW5rLW9uY2xp Y2stYW1wZXJzYW5kLmh0bWwKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9z ZWN1cml0eS94c3NBdWRpdG9yL2xpbmstb25jbGljay1hbXBlcnNhbmQuaHRtbAkocmV2aXNpb24g MCkKKysrIExheW91dFRlc3RzL2h0dHAvdGVzdHMvc2VjdXJpdHkveHNzQXVkaXRvci9saW5rLW9u Y2xpY2stYW1wZXJzYW5kLmh0bWwJKHJldmlzaW9uIDApCkBAIC0wLDAgKzEsMTUgQEAKKzwhRE9D VFlQRSBodG1sPgorPGh0bWw+Cis8aGVhZD4KKzxzY3JpcHQ+CitpZiAod2luZG93LmxheW91dFRl c3RDb250cm9sbGVyKSB7CisgIGxheW91dFRlc3RDb250cm9sbGVyLmR1bXBBc1RleHQoKTsKKyAg bGF5b3V0VGVzdENvbnRyb2xsZXIuc2V0WFNTQXVkaXRvckVuYWJsZWQodHJ1ZSk7Cit9Cis8L3Nj cmlwdD4KKzwvaGVhZD4KKzxib2R5PgorPGlmcmFtZSBzcmM9Imh0dHA6Ly9sb2NhbGhvc3Q6ODAw MC9zZWN1cml0eS94c3NBdWRpdG9yL3Jlc291cmNlcy9lY2hvLWludGVydGFnLnBsP3E9PGElMjBv bmNsaWNrPSdhbGVydCgvJTI2WFNTLyknPkNsaWNrPC9hPiI+Cis8L2lmcmFtZT4KKzwvYm9keT4K KzwvaHRtbD4K