Bug 130475

Summary: XSS Auditor doesn't block <script> injected before an existing <script>
Product: WebKit Reporter: Daniel Bates <dbates>
Component: WebCore Misc.Assignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: abarth, ap, ddkilzer, tsepez
Priority: P2 Keywords: InRadar, XSSAuditor
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
URL: http://demofaast.elevenpaths.com:9002/xssbypass/scriptbypass.php?value=%3Cscript%3Ealert%28%22Bypass%20Message%22%29
Attachments:
Description Flags
Layout tests none

Daniel Bates
Reported 2014-03-19 14:20:47 PDT
Without loss of generality, consider a page with the following PHP markup: <!DOCTYPE html> <html> <body> <?php echo $_GET["q"] ?><script>function dummy() {}</script> </body> </html> Take q := "<script>alert(/XSS/)". Then the page displays a JavaScript alert with message "/XSS/".
Attachments
Layout tests (4.92 KB, patch)
2014-03-19 14:31 PDT, Daniel Bates 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Daniel Bates
Comment 2 2014-03-19 14:21:22 PDT
<rdar://problem/16348414>
Daniel Bates
Comment 3 2014-03-19 14:31:32 PDT
Created attachment 227218 [details] Layout tests DRT layout tests. We may also want to supplement these tests with Thomas Sepez's tests in <https://codereview.chromium.org/205243002/>.
Daniel Bates
Comment 4 2014-03-19 14:38:15 PDT
(In reply to comment #3) > Created an attachment (id=227218) [details] > Layout tests > > DRT layout tests. We may also want to supplement these tests with Thomas Sepez's tests in <https://codereview.chromium.org/205243002/>. I should add that the contents of the included -expected.txt files need to be updated.
David Kilzer (:ddkilzer)
Comment 5 2014-03-22 19:11:14 PDT
Fixed in Blink: <http://src.chromium.org/viewvc/blink?view=rev&rev=169697>
Daniel Bates
Comment 6 2014-03-24 16:12:27 PDT
Committed r166202: <http://trac.webkit.org/changeset/166202>
Note You need to log in before you can comment on or make changes to this bug.