Bug 49235

Summary: Searching for “return false” (including double-quotes) on google.com results in redirect to about:blank
Product: WebKit Reporter: Sze <sze.chan>
Component: WebCore Misc.Assignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: abarth, ap, dbates, mrowe
Priority: P3 Keywords: InRadar, XSSAuditor
Version: 528+ (Nightly build)   
Hardware: Mac (Intel)   
OS: OS X 10.5   
Attachments:
Description Flags
Character for Character to be typed in Search Field. none

Description Sze 2010-11-08 19:51:46 PST
There is a weird bug that happens when typing In the Search Field for Webkit-based browsers.

  Typing in "return false" results in a blank window instance.

  Typing in "return true" will return a search results page from Default Search Provider (Google, Bing, Yahoo!).
Comment 1 Alexey Proskuryakov 2010-11-08 22:26:09 PST
I cannot reproduce this in Safari 5.0.2.
Comment 2 Sze 2010-11-09 04:25:21 PST
Created attachment 73356 [details]
Character for Character to be typed in Search Field.
Comment 3 Mark Rowe (bdash) 2010-11-09 05:16:16 PST
This only happens with Google AFAICT, and it also happens when searching from <http://www.google.com/>.
Comment 4 Alexey Proskuryakov 2010-11-09 08:34:24 PST
I still cannot reproduce. Maybe the Russian version of google.com doesn't have this issue.

> This only happens with Google AFAICT, and it also happens when searching from
> <http://www.google.com/>.

Does this happen with spoofed UA?
Comment 5 Alexey Proskuryakov 2010-11-09 08:40:17 PST
Also, is there any console output? Redirect to about:blank is a common symptom of XSS Auditor being unhappy with a site.
Comment 6 Sze 2010-11-09 09:05:47 PST
No problem with Safari Mobile surprisingly.
Comment 7 Daniel Bates 2010-11-09 23:47:27 PST
I was unable to reproduce this issue by searching for "return false" using Safari's built-in search or searching for a single query directly from http://www.google.com.

After playing with the live search on Google.com, I was able to reproduce this issue with the following URL: <http://www.google.com/search?client=safari&rls=en&q=return+true;&ie=UTF-8&oe=UTF-8#sclient=psy&hl=en&client=safari&rls=en&q=creating-a-polaroid-effect-with-css%3B+%22return+false%22&aq=f&aqi=&aql=&oq=&gs_rfai=&pbx=1&fp=6e8733203d1b4e27>. Simplifying this URL we have: <http://www.google.com/search?&q=return+true;#%22return+false%22>.

This bug demonstrates a false positive.

Notice, for certain queries (e.g. <http://www.google.com/search?&q=return+true;>) Google will show a hyperlink of the form "Show more results from return-true.com" that has an onclick inline event handler whose value is "return false" (e.g. <a href="..." onclick="return false">Show more results from return-true.com</a>). Constructing a query that includes the phrase "return false" such that the search results page has a "Show more results from ..." hyperlink will result in the XSS Auditor blocking the registration of the onclick event handler since its value ("return false") appears in the URL. And because Google.com requests full-page blocking (i.e. HTTP header "X-XSS-Protection: 1; mode=block") we redirect to about:blank when we detect that the source code of the inline event handler is a substring of the page URL.
Comment 8 Mark Rowe (bdash) 2010-11-10 00:02:54 PST
For what it’s worth, I was seeing this behavior only when signed in to an account.  After signing out it stopped.  I’m not sure how that changes what Google does.
Comment 9 Alexey Proskuryakov 2010-11-10 00:29:07 PST
Yes, that exactly matches my results - I can only see this when logged in.

The URL (after entering the search phrase in Safari search bar) was <http://www.google.com/search?client=safari&rls=en&q=%22return+false%22&ie=UTF-8&oe=UTF-8>.
Comment 10 Alexey Proskuryakov 2010-11-10 00:36:23 PST
> Constructing a query that includes the phrase "return false" such that the search results page has a "Show more results from ..." hyperlink will result in the XSS Auditor blocking the registration of the onclick event handler since its value ("return false") appears in the URL.

Yes, that's where "return false" is indeed. One difference from your analysis is that the hyperlink is invisible for me, being in a display:none div.
Comment 11 Mark Rowe (bdash) 2011-01-19 14:36:46 PST
<rdar://problem/8878934>
Comment 12 Adam Barth 2011-08-19 13:38:28 PDT
This bug is fixed by the new XSS auditor architecture.