Bug 78732

Summary: XSS Auditor bypass with U+2028/2029
Product: WebKit Reporter: Thomas Sepez <tsepez>
Component: WebCore Misc.Assignee: Thomas Sepez <tsepez>
Status: RESOLVED FIXED    
Severity: Normal CC: abarth, dbates, webkit.review.bot
Priority: P2 Keywords: XSSAuditor
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch. none

Thomas Sepez
Reported 2012-02-15 13:14:56 PST
Originally reported by masatokinugawa at http://code.google.com/p/chromium/issues/detail?id=114346 The attacker can bypass XSS Auditor. Chrome Version: 17.0.963.46 stable affected. Safari 5.1.2 is OK. The reflected vector is: ?xss=%3Cscript%3E//%E2%80%A9alert(1)%3C/script%3E <script>//[U+2028 or 2029]alert(1)</script>
Attachments
Patch. (3.93 KB, patch)
2012-02-15 14:59 PST, Thomas Sepez 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Thomas Sepez
Comment 1 2012-02-15 14:59:41 PST
Created attachment 127245 [details] Patch.
WebKit Review Bot
Comment 2 2012-02-16 11:44:41 PST
Comment on attachment 127245 [details] Patch. Rejecting attachment 127245 [details] from commit-queue. tsepez@chromium.org does not have committer permissions according to http://trac.webkit.org/browser/trunk/Tools/Scripts/webkitpy/common/config/committers.py. - If you do not have committer rights please read http://webkit.org/coding/contributing.html for instructions on how to use bugzilla flags. - If you have committer rights please correct the error in Tools/Scripts/webkitpy/common/config/committers.py by adding yourself to the file (no review needed). The commit-queue restarts itself every 2 hours. After restart the commit-queue will correctly respect your committer rights.
WebKit Review Bot
Comment 3 2012-02-16 12:30:25 PST
Comment on attachment 127245 [details] Patch. Clearing flags on attachment: 127245 Committed r107967: <http://trac.webkit.org/changeset/107967>
WebKit Review Bot
Comment 4 2012-02-16 12:30:29 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.