Bug 243588
| Summary: | Parser bug can introduce mXSS and HTML sanitizers bypass | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Ahmad Saleem <ahmad.saleem792> |
| Component: | DOM | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED CONFIGURATION CHANGED | ||
| Severity: | Normal | CC: | ap, bfulgham, cdumez, rniwa, webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | Safari 15 | ||
| Hardware: | Mac (Apple Silicon) | ||
| OS: | macOS 12 | ||
Ahmad Saleem
Hi Team,
I was dumpster diving again in Mozilla Bugzilla to identify any test cases in DOM Parser where Safari / Webkit might be different and then testing them across all browser to ensure that Webkit can get to be more web-compatible and came across following test case:
Test Case Link - https://jsbin.com/yomabutoze/edit?html,output
Mozilla Bug - https://bugzilla.mozilla.org/show_bug.cgi?id=1598466
Chrome Bug - https://bugs.chromium.org/p/chromium/issues/detail?id=1005713
Some Blog Post - https://research.securitum.com/dompurify-bypass-using-mxss/
Web-Spec Chrome Discussion - https://bugs.chromium.org/p/chromium/issues/detail?id=1005713#c10
Commit - https://chromium.googlesource.com/chromium/src.git/+/d16226271d4d501de19f019aba1c145930b45503
*** STEPS TO REPRODUCE ***
1) Open Test Case Link
2) Notice Behavior
<< ACTUAL RESULT >>
Safari get dialog with '1' value
<< EXPECTED RESULT >>
No Dialog box similar to other browsers.
___
Appreciate if this can be fixed so there is no dialog box similar to other browsers.
Thanks
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Radar WebKit Bug Importer
<rdar://problem/98212299>
Ryosuke Niwa
Chris recently fixed this.