RESOLVED FIXED 130475
XSS Auditor doesn't block <script> injected before an existing <script> 
https://bugs.webkit.org/show_bug.cgi?id=130475
Summary XSS Auditor doesn't block <script> injected before an existing <script>
Daniel Bates
Reported 2014-03-19 14:20:47 PDT
Without loss of generality, consider a page with the following PHP markup: <!DOCTYPE html> <html> <body> <?php echo $_GET["q"] ?><script>function dummy() {}</script> </body> </html> Take q := "<script>alert(/XSS/)". Then the page displays a JavaScript alert with message "/XSS/".
Attachments
Layout tests (4.92 KB, patch)
2014-03-19 14:31 PDT, Daniel Bates 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Daniel Bates
Comment 2 2014-03-19 14:21:22 PDT
<rdar://problem/16348414>
Daniel Bates
Comment 3 2014-03-19 14:31:32 PDT
Created attachment 227218 [details] Layout tests DRT layout tests. We may also want to supplement these tests with Thomas Sepez's tests in <https://codereview.chromium.org/205243002/>.
Daniel Bates
Comment 4 2014-03-19 14:38:15 PDT
(In reply to comment #3) > Created an attachment (id=227218) [details] > Layout tests > > DRT layout tests. We may also want to supplement these tests with Thomas Sepez's tests in <https://codereview.chromium.org/205243002/>. I should add that the contents of the included -expected.txt files need to be updated.
David Kilzer (:ddkilzer)
Comment 5 2014-03-22 19:11:14 PDT
Fixed in Blink: <http://src.chromium.org/viewvc/blink?view=rev&rev=169697>
Daniel Bates
Comment 6 2014-03-24 16:12:27 PDT
Committed r166202: <http://trac.webkit.org/changeset/166202>
Note You need to log in before you can comment on or make changes to this bug.