Bug 78732

Summary: XSS Auditor bypass with U+2028/2029
Product: WebKit Reporter: Thomas Sepez <tsepez>
Component: WebCore Misc.Assignee: Thomas Sepez <tsepez>
Status: RESOLVED FIXED    
Severity: Normal CC: abarth, dbates, webkit.review.bot
Priority: P2 Keywords: XSSAuditor
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch. none

Description Thomas Sepez 2012-02-15 13:14:56 PST
Originally reported by masatokinugawa at http://code.google.com/p/chromium/issues/detail?id=114346

The attacker can bypass XSS Auditor. 
Chrome Version: 17.0.963.46 stable affected.
Safari 5.1.2 is OK.

The reflected vector is: ?xss=%3Cscript%3E//%E2%80%A9alert(1)%3C/script%3E
<script>//[U+2028 or 2029]alert(1)</script>
Comment 1 Thomas Sepez 2012-02-15 14:59:41 PST
Created attachment 127245 [details]
Patch.
Comment 2 WebKit Review Bot 2012-02-16 11:44:41 PST
Comment on attachment 127245 [details]
Patch.

Rejecting attachment 127245 [details] from commit-queue.

tsepez@chromium.org does not have committer permissions according to http://trac.webkit.org/browser/trunk/Tools/Scripts/webkitpy/common/config/committers.py.

- If you do not have committer rights please read http://webkit.org/coding/contributing.html for instructions on how to use bugzilla flags.

- If you have committer rights please correct the error in Tools/Scripts/webkitpy/common/config/committers.py by adding yourself to the file (no review needed).  The commit-queue restarts itself every 2 hours.  After restart the commit-queue will correctly respect your committer rights.
Comment 3 WebKit Review Bot 2012-02-16 12:30:25 PST
Comment on attachment 127245 [details]
Patch.

Clearing flags on attachment: 127245

Committed r107967: <http://trac.webkit.org/changeset/107967>
Comment 4 WebKit Review Bot 2012-02-16 12:30:29 PST
All reviewed patches have been landed.  Closing bug.