Bug 26899

Summary: XSSAuditor shouldn't strip control characters
Product: WebKit Reporter: Adam Barth <abarth>
Component: WebCore Misc.Assignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: dbates, sam
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
URL: https://xenon.stanford.edu/~collinj/test/ie8xss/xsstest.php?q=<script>alert(/XSS/)//h%01</script>
Attachments:
Description Flags
Patch with test abarth: review+

Adam Barth
Reported 2009-07-01 13:21:57 PDT
Test case: https://xenon.stanford.edu/~collinj/test/ie8xss/xsstest.php?q=<script>alert(/XSS/)//h%01</script>
Attachments
Patch with test (7.16 KB, patch)
2009-07-01 17:35 PDT, Daniel Bates 		abarth: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Daniel Bates
Comment 1 2009-07-01 17:35:09 PDT
Created attachment 32165 [details] Patch with test Upon further investigation, we need to remove null characters, since the HTMLTokenizer does in processing scripts (i.e. the contents of <script>al\0ert(1)</script> becomes alert(1) by the time it is passed to XSSAuditor). Let me know if this change is better addressed in a separate bug.
Adam Barth
Comment 2 2009-07-01 18:26:33 PDT
Comment on attachment 32165 [details] Patch with test Great patch. Thanks.
Adam Barth
Comment 3 2009-07-01 18:36:18 PDT
Sending LayoutTests/ChangeLog Adding LayoutTests/http/tests/security/xssAuditor/script-tag-control-char-expected.txt Adding LayoutTests/http/tests/security/xssAuditor/script-tag-control-char.html Adding LayoutTests/http/tests/security/xssAuditor/script-tag-null-char-expected.txt Adding LayoutTests/http/tests/security/xssAuditor/script-tag-null-char.html Sending WebCore/ChangeLog Sending WebCore/page/XSSAuditor.cpp Sending WebCore/page/XSSAuditor.h Sending WebCore/platform/network/ResourceResponseBase.cpp Sending WebCore/platform/network/ResourceResponseBase.h Transmitting file data .......... Committed revision 45461.
Note You need to log in before you can comment on or make changes to this bug.