Bug 29944

Summary: [XSSAuditor] Reduce false positives by checking for illegal URI characters
Product: WebKit Reporter: Daniel Bates <dbates>
Component: WebCore Misc.Assignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: abarth, sam
Priority: P2 Keywords: XSSAuditor
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Attachments:
Description Flags
Patch with test cases and rebased test cases abarth: review+

Description Daniel Bates 2009-09-30 18:06:07 PDT 
We can reduce the number of false positives for both inline script- and inline event handler- based attacks by explicitly allowing requests that do not contain the characters described in section 2.4.3 of RFC 2396 <http://www.faqs.org/rfcs/rfc2396.html> in addition to the single quote character "'". That is, the following characters cannot appear in a valid URI: ', ", <, >.

If the request does not contain these characters then we can assume that no inline scripts have been injected into response page, because it is impossible to write an inline script of the form <script>...</script> without "<", ">".

With regards to an injection of an inline event handler, we believe that the majority of such injections occur as part of breaking out of a quoted property and thus a request that does not contain a single or double quote can be allowed. However, this decision causes the following test cases to fail: property-inject.html, property-escape-noquotes.html, and property-escape-noquotes-tab-slash-chars.html. We should address these in a separate update.
Comment 1 Daniel Bates 2009-09-30 18:13:09 PDT 
Created attachment 40415 [details]
Patch with test cases and rebased test cases

Also includes a minor formatting change.
Comment 2 Adam Barth 2009-09-30 18:44:11 PDT 
Comment on attachment 40415 [details]
Patch with test cases and rebased test cases

Great.  Thanks Dan.
Comment 3 Daniel Bates 2009-09-30 22:56:28 PDT 
Committed r48961: <http://trac.webkit.org/changeset/48961>
Comment 4 Daniel Bates 2014-02-11 12:29:46 PST 
(In reply to comment #0)
> [...]
> With regards to an injection of an inline event handler, we believe that the majority of such injections occur as part of breaking out of a quoted property and thus a request that does not contain a single or double quote can be allowed. However, this decision causes the following test cases to fail: property-inject.html, property-escape-noquotes.html, and property-escape-noquotes-tab-slash-chars.html. We should address these in a separate update.

See bug #127853.