Bug 163978

Summary: REGRESSION (r178265): XSS Auditor fails to block document.write() of incomplete tag
Product: WebKit Reporter: Daniel Bates <dbates>
Component: WebCore Misc.Assignee: Daniel Bates <dbates>
Status: RESOLVED FIXED    
Severity: Normal CC: aestes, bfulgham, cdumez, commit-queue, darin, esprehn+autocc, gyuyoung.kim, sam, webkit-bug-importer
Priority: P2 Keywords: InRadar, Regression, XSSAuditor
Version: WebKit Local Build   
Hardware: All   
OS: All   
Bug Depends on: 140166    
Bug Blocks:    
Attachments:
Description Flags
Patch and layout tests none

Description Daniel Bates 2016-10-25 13:37:11 PDT 
Consider a page A.html with the following markup:

<!DOCTYPE html>
<html>
<body>
<script>document.write(unescape(window.location));</script>
</body>
</html>

Suppose you navigate to "A.html?<img src=1 onerror=alert(1)". Then the XSS Auditor should block the execution of the injected onerror handler. But it does not.
Comment 1 Daniel Bates 2016-10-25 13:44:38 PDT 
<rdar://problem/25962131>
Comment 2 Daniel Bates 2016-10-25 13:46:17 PDT 
Created attachment 292815 [details]
Patch and layout tests
Comment 3 Daniel Bates 2016-10-25 15:10:10 PDT 
Comment on attachment 292815 [details]
Patch and layout tests

Clearing flags on attachment: 292815

Committed r207848: <http://trac.webkit.org/changeset/207848>
Comment 4 Daniel Bates 2016-10-25 15:10:15 PDT 
All reviewed patches have been landed.  Closing bug.