Bug 130475

Summary: XSS Auditor doesn't block <script> injected before an existing <script>
Product: WebKit Reporter: Daniel Bates <dbates>
Component: WebCore Misc.Assignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: abarth, ap, ddkilzer, tsepez
Priority: P2 Keywords: InRadar, XSSAuditor
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
URL: http://demofaast.elevenpaths.com:9002/xssbypass/scriptbypass.php?value=%3Cscript%3Ealert%28%22Bypass%20Message%22%29
Attachments:
Description Flags
Layout tests none

Description Daniel Bates 2014-03-19 14:20:47 PDT 
Without loss of generality, consider a page with the following PHP markup:

<!DOCTYPE html>
<html>
<body>
<?php echo $_GET["q"] ?><script>function dummy() {}</script>
</body>
</html>

Take q := "<script>alert(/XSS/)". Then the page displays a JavaScript alert with message "/XSS/".
Comment 2 Daniel Bates 2014-03-19 14:21:22 PDT 
<rdar://problem/16348414>
Comment 3 Daniel Bates 2014-03-19 14:31:32 PDT 
Created attachment 227218 [details]
Layout tests

DRT layout tests. We may also want to supplement these tests with Thomas Sepez's tests in <https://codereview.chromium.org/205243002/>.
Comment 4 Daniel Bates 2014-03-19 14:38:15 PDT 
(In reply to comment #3)
> Created an attachment (id=227218) [details]
> Layout tests
> 
> DRT layout tests. We may also want to supplement these tests with Thomas Sepez's tests in <https://codereview.chromium.org/205243002/>.

I should add that the contents of the included -expected.txt files need to be updated.
Comment 5 David Kilzer (:ddkilzer) 2014-03-22 19:11:14 PDT 
Fixed in Blink:  <http://src.chromium.org/viewvc/blink?view=rev&rev=169697>
Comment 6 Daniel Bates 2014-03-24 16:12:27 PDT 
Committed r166202: <http://trac.webkit.org/changeset/166202>