Bug 12774
| Summary: | S60 browser doesn't properly parse HTML comments, which allows remote attackers to conduct cross-site scripting (XSS) attacks | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Krishna <krishnamurty.podipireddy> |
| Component: | DOM | Assignee: | Nobody <webkit-unassigned> |
| Status: | CLOSED INVALID | ||
| Severity: | Normal | CC: | bradley.morrison, webkit |
| Priority: | P2 | ||
| Version: | 420+ | ||
| Hardware: | S60 Hardware | ||
| OS: | S60 3rd edition | ||
| URL: | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0478 | ||
Krishna
2.2.2007 Ilhan Gurel: This originally comes from the following reported vulnerability:
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0478
The link also has information about the proof of concept data.
Description of the original problem: Apple Safari does not properly parse HTML comments, which allows remote attackers to conduct cross-site scripting (XSS) attacks and bypass some XSS protection schemes by embedding certain HTML tags within an HTML comment.
It has been acklowledged that this is also valid issue for S60 browser as it uses same code.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Robert Blaut
I think the S60 platform bug should be closed as other S60 bugs.
Joel Parks
re-purposing InTSW keyword for use by QtWebkit team