Summary: | xssauditor - bypass with unterminated closing script tag | ||||||
---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Thomas Sepez <tsepez> | ||||
Component: | WebKit Misc. | Assignee: | Thomas Sepez <tsepez> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | Minor | CC: | abarth, webkit.review.bot | ||||
Priority: | P2 | ||||||
Version: | 528+ (Nightly build) | ||||||
Hardware: | All | ||||||
OS: | All | ||||||
Bug Depends on: | |||||||
Bug Blocks: | 66579 | ||||||
Attachments: |
|
Description
Thomas Sepez
2011-09-16 14:47:06 PDT
Created attachment 107887 [details]
Patch to set end location of token before additional buffering takes place.
Comment on attachment 107887 [details] Patch to set end location of token before additional buffering takes place. View in context: https://bugs.webkit.org/attachment.cgi?id=107887&action=review > Source/WebCore/html/parser/HTMLTokenizer.cpp:305 > - if (cc == '<') > + if (cc == '<') { > + // Token might end here. If not, we'll come through here again > + // and update the end location again. > + m_token->end(source.numberOfCharactersConsumed()); > HTML_ADVANCE_TO(ScriptDataLessThanSignState); > + } Interesting. We have this same problem for CDATA and RCDATA. For example, the <title> and the <style> tags. It would be good to apply this kind of fix in those cases too, maybe in a follow-up patch. This patch feels a little bit like a hack because we're only doing this in one case, but I do agree that this patch is moving us in the right direction because the tokenizer should be setting the end marker for the token. Comment on attachment 107887 [details] Patch to set end location of token before additional buffering takes place. Clearing flags on attachment: 107887 Committed r95451: <http://trac.webkit.org/changeset/95451> All reviewed patches have been landed. Closing bug. |