RESOLVED WONTFIX 127853
[XSSAuditor] Improve detection of inline event handlers 
https://bugs.webkit.org/show_bug.cgi?id=127853
Summary [XSSAuditor] Improve detection of inline event handlers
Fabien Duchene
Reported 2014-01-29 13:41:56 PST
Created attachment 222592 [details] proof of concept of type-1 filter bypass Hi, If there is a reflection in the attribute context of a <SOURCE> tag, it seems the taint is not inferred in the event handlers, and as a result, such a reflection case is not catched by your Type-1 XSS filter. eg: <?php global $_GET; print('<video><source '.$_GET['arg'].'></source></video>'); ?> http://car-online.fr/en/CTF-tools/chrome_xss_2/?arg=onerror%3Dalert(1) I understood that you only consider 1 parameter to be reflected, which is the case here. Best,
Attachments
proof of concept of type-1 filter bypass (91.35 KB, image/png)
2014-01-29 13:41 PST, Fabien Duchene 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Fabien Duchene
Comment 1 2014-01-29 13:48:32 PST
tested on version: 32.0.1700.77
Fabien Duchene
Comment 2 2014-01-29 13:55:50 PST
also tested: 32.0.1700.102
Daniel Bates
Comment 3 2014-02-11 12:21:40 PST
Thanks Fabien for the bug report. Towards reducing the number of false positives, the XSS Auditor does not detect the injection of an inline event handler within a tag. "We believe that the majority of such injections occur as part of breaking out of a quoted property and thus a request that does not contain a single or double quote can be allowed." (comment 0, bug #29944)
Daniel Bates
Comment 4 2014-02-11 12:28:03 PST
This isn't a security bug. We should look to fix the following XSS Auditor tests: property-inject.html, property-escape-noquotes.html, and property-escape-noquotes-tab-slash-chars.html.
Brent Fulgham
Comment 5 2021-09-21 14:29:21 PDT
The XSS Auditor is removed in Bug 230499.
Note You need to log in before you can comment on or make changes to this bug.