163978 – REGRESSION (r178265): XSS Auditor fails to block document.write() of incomplete tag

Bug 163978 - REGRESSION (r178265): XSS Auditor fails to block document.write() of incomplete tag

Summary: REGRESSION (r178265): XSS Auditor fails to block document.write() of incomple...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebCore Misc. (show other bugs)
Version:	WebKit Local Build
Hardware:	All All

Importance:	P2 Normal
Assignee:	Daniel Bates

URL:
Keywords:	InRadar, Regression, XSSAuditor

Depends on:	140166
Blocks:
	Show dependency tree / graph

Reported:	2016-10-25 13:37 PDT by Daniel Bates
Modified:	2016-10-25 15:10 PDT (History)
CC List:	9 users (show)

See Also:

Attachments
Patch and layout tests (12.87 KB, patch) 2016-10-25 13:46 PDT, Daniel Bates	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Daniel Bates 2016-10-25 13:37:11 PDT

Consider a page A.html with the following markup:

<!DOCTYPE html>
<html>
<body>
<script>document.write(unescape(window.location));</script>
</body>
</html>

Suppose you navigate to "A.html?<img src=1 onerror=alert(1)". Then the XSS Auditor should block the execution of the injected onerror handler. But it does not.

Comment 1 Daniel Bates 2016-10-25 13:44:38 PDT

<rdar://problem/25962131>

Comment 2 Daniel Bates 2016-10-25 13:46:17 PDT

Created attachment 292815 [details]
Patch and layout tests

Comment 3 Daniel Bates 2016-10-25 15:10:10 PDT

Comment on attachment 292815 [details]
Patch and layout tests

Clearing flags on attachment: 292815

Committed r207848: <http://trac.webkit.org/changeset/207848>

Comment 4 Daniel Bates 2016-10-25 15:10:15 PDT

All reviewed patches have been landed.  Closing bug.