Bug 163978

Summary: REGRESSION (r178265): XSS Auditor fails to block document.write() of incomplete tag
Product: WebKit Reporter: Daniel Bates <dbates>
Component: WebCore Misc.Assignee: Daniel Bates <dbates>
Status: RESOLVED FIXED    
Severity: Normal CC: aestes, bfulgham, cdumez, commit-queue, darin, esprehn+autocc, gyuyoung.kim, sam, webkit-bug-importer
Priority: P2 Keywords: InRadar, Regression, XSSAuditor
Version: WebKit Local Build   
Hardware: All   
OS: All   
Bug Depends on: 140166    
Bug Blocks:    
Attachments:
Description Flags
Patch and layout tests none

Daniel Bates
Reported 2016-10-25 13:37:11 PDT
Consider a page A.html with the following markup: <!DOCTYPE html> <html> <body> <script>document.write(unescape(window.location));</script> </body> </html> Suppose you navigate to "A.html?<img src=1 onerror=alert(1)". Then the XSS Auditor should block the execution of the injected onerror handler. But it does not.
Attachments
Patch and layout tests (12.87 KB, patch)
2016-10-25 13:46 PDT, Daniel Bates 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Daniel Bates
Comment 1 2016-10-25 13:44:38 PDT
<rdar://problem/25962131>
Daniel Bates
Comment 2 2016-10-25 13:46:17 PDT
Created attachment 292815 [details] Patch and layout tests
Daniel Bates
Comment 3 2016-10-25 15:10:10 PDT
Comment on attachment 292815 [details] Patch and layout tests Clearing flags on attachment: 292815 Committed r207848: <http://trac.webkit.org/changeset/207848>
Daniel Bates
Comment 4 2016-10-25 15:10:15 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.