| Summary: | innerHTML decompilation issues in textarea | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Security | Reporter: | eduardo <evn> | ||||
| Component: | Security | Assignee: | Darin Adler <darin> | ||||
| Status: | RESOLVED FIXED | ||||||
| Severity: | Normal | CC: | cevans, darin, inferno, lcamtuf, yong.li.webkit | ||||
| Priority: | P2 | Keywords: | InRadar | ||||
| Version: | Other | ||||||
| Hardware: | All | ||||||
| OS: | All | ||||||
| URL: | http://code.google.com/p/chromium/issues/detail?id=43902 | ||||||
| Attachments: |
|
||||||
|
Description
eduardo
2010-05-11 12:15:23 PDT
The problem seems to be in the appendStartMarkup function in markup.cpp in the Node::TEXT_NODE case, the appendUCharRange call. A test case for this should cover the <script>, <style>, <textarea>, and <xmp> elements and should be tested in other browsers to make sure their escaping behavior is the same. I was planning to fix this, and it looks only on textarea and not on other elements. I compared the behavior with IE and we match on everything except textarea. For textarea, we need to html entity encode the output.
<body>
<script id=a1>//</textarea><script>alert(1)</script><def>
</script>
<style id=a2></textarea><script>alert(1)</script><def></style>
<textarea id=a3></textarea><script>alert(1)</script><def></textarea>
<xmp id=a4></textarea><script>alert(1)</script><def></xmp>
<script>
alert(document.getElementById('a1').innerHTML);
alert(document.getElementById('a2').innerHTML);
alert(document.getElementById('a3').innerHTML);
alert(document.getElementById('a4').innerHTML);
</script>
</body>
I can fix this. in the layout test, i will include the other elements as well.
Both IE and Firefox produce the output as </textarea><script>alert(1)</script><def> which means that it html entity encodes everything. Created attachment 55864 [details]
Patch
Darin, can you please review the patch and commit if it looks ok.
Some notes:
1. checked that appendUCharRange is not used anywhere else in file other than textnodes.
2. checked that createMarkup call is used only for innerhtml and outerhtml calls.
3. outerHTML is not supported by Firefox, so last 4 don't match.
4. First 4 match in Firefox.
5. Everything except case 3 matches in IE.
(a) reason for case 3 not match is IE does not support ' and fails during decoding it in textarea.
(b) last 4 in IE are same except the fact that Tag name become capitalized e.g. <SCRIPT>. not a big deal for security :)
6. First 2 cases show fail in IE whereas their value is same since === used in shouldbe function does not work well in IE.
FAIL innerHTML("script") should be /*"'&<>"'&<>"'&<>*/. Was /*"'&<>"'&<>"'&<>*/.
FAIL innerHTML("style") should be /*"'&<>"'&<>"'&<>*/. Was /*"'&<>"'&<>"'&<>*/.
7. all browsers don't encode " and ' in textarea, but that is ok.
8. tested safari mac, all layout tests pass. checked that my layout tests passes on qt, gtk,chromium,safari win (although it should not matter).
Sure, I’ll land it. I am going to rename these tests and put them in a different directory. There is no reason to include the words "XSS" in the test, and these do not relate to encoding. Also, we do not want the HTML file to be executable. Thanks a lot Darin. Committed r59241: <http://trac.webkit.org/changeset/59241> Fixed ChangeLog entry in <http://trac.webkit.org/changeset/59242>. |