Bug 38922

Summary:

innerHTML decompilation issues in textarea

Product:

Security

Reporter:

eduardo <evn>

Component:

Security

Assignee:

Darin Adler <darin>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

cevans, darin, inferno, lcamtuf, yong.li.webkit

Priority:

Keywords:

InRadar

Version:

Other

Hardware:

All

OS:

All

URL:

http://code.google.com/p/chromium/issues/detail?id=43902

Attachments:

Description	Flags
Patch	darin: review+

eduardo

Reported 2010-05-11 12:15:23 PDT

Chrome and Safari (ergo, webkit) have a problem when they decompile innerHTML. This can be abused to create XSS attacks. When you read: node.innerHTML of a textarea, the chars inside are not encoded properly. PoC: Put this: <textarea></textarea><script>alert(1)</script></textarea> Here: http://0x.lv/innerHTMLinspect.html Greetings!!

Attachments
Patch (7.97 KB, patch) 2010-05-12 10:06 PDT, Abhishek Arya	darin: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

David Kilzer (:ddkilzer)

Comment 1 2010-05-11 12:43:58 PDT

<rdar://problem/7969861>

Darin Adler

Comment 2 2010-05-11 16:59:18 PDT

The problem seems to be in the appendStartMarkup function in markup.cpp in the Node::TEXT_NODE case, the appendUCharRange call. A test case for this should cover the <script>, <style>, <textarea>, and <xmp> elements and should be tested in other browsers to make sure their escaping behavior is the same.

Abhishek Arya

Comment 3 2010-05-11 17:05:57 PDT

I was planning to fix this, and it looks only on textarea and not on other elements. I compared the behavior with IE and we match on everything except textarea. For textarea, we need to html entity encode the output. <body> <script id=a1>//</textarea><script>alert(1)</script><def> </script> <style id=a2></textarea><script>alert(1)</script><def></style> <textarea id=a3></textarea><script>alert(1)</script><def></textarea> <xmp id=a4></textarea><script>alert(1)</script><def></xmp> <script> alert(document.getElementById('a1').innerHTML); alert(document.getElementById('a2').innerHTML); alert(document.getElementById('a3').innerHTML); alert(document.getElementById('a4').innerHTML); </script> </body> I can fix this. in the layout test, i will include the other elements as well.

Abhishek Arya

Comment 4 2010-05-11 17:10:50 PDT

Both IE and Firefox produce the output as </textarea><script>alert(1)</script><def> which means that it html entity encodes everything.

Abhishek Arya

Comment 5 2010-05-12 10:06:29 PDT

Created attachment 55864 [details] Patch

Abhishek Arya

Comment 6 2010-05-12 10:10:08 PDT

Darin, can you please review the patch and commit if it looks ok. Some notes: 1. checked that appendUCharRange is not used anywhere else in file other than textnodes. 2. checked that createMarkup call is used only for innerhtml and outerhtml calls. 3. outerHTML is not supported by Firefox, so last 4 don't match. 4. First 4 match in Firefox. 5. Everything except case 3 matches in IE. (a) reason for case 3 not match is IE does not support ' and fails during decoding it in textarea. (b) last 4 in IE are same except the fact that Tag name become capitalized e.g. <SCRIPT>. not a big deal for security :) 6. First 2 cases show fail in IE whereas their value is same since === used in shouldbe function does not work well in IE. FAIL innerHTML("script") should be /*"'&<>"'&<>"'&<>*/. Was /*"'&<>"'&<>"'&<>*/. FAIL innerHTML("style") should be /*"'&<>"'&<>"'&<>*/. Was /*"'&<>"'&<>"'&<>*/. 7. all browsers don't encode " and ' in textarea, but that is ok. 8. tested safari mac, all layout tests pass. checked that my layout tests passes on qt, gtk,chromium,safari win (although it should not matter).

Darin Adler

Comment 7 2010-05-12 10:35:07 PDT

Sure, I’ll land it.

Darin Adler

Comment 8 2010-05-12 10:38:31 PDT

I am going to rename these tests and put them in a different directory. There is no reason to include the words "XSS" in the test, and these do not relate to encoding. Also, we do not want the HTML file to be executable.

Abhishek Arya

Comment 9 2010-05-12 10:41:29 PDT

Thanks a lot Darin.

Darin Adler

Comment 10 2010-05-12 11:13:15 PDT

Committed r59241: <http://trac.webkit.org/changeset/59241>

Darin Adler

Comment 11 2010-05-12 11:16:16 PDT

Fixed ChangeLog entry in <http://trac.webkit.org/changeset/59242>.

Note You need to log in before you can comment on or make changes to this bug.