WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
163978
REGRESSION (
r178265
): XSS Auditor fails to block document.write() of incomplete tag
https://bugs.webkit.org/show_bug.cgi?id=163978
Summary
REGRESSION (r178265): XSS Auditor fails to block document.write() of incomple...
Daniel Bates
Reported
2016-10-25 13:37:11 PDT
Consider a page A.html with the following markup: <!DOCTYPE html> <html> <body> <script>document.write(unescape(window.location));</script> </body> </html> Suppose you navigate to "A.html?<img src=1 onerror=alert(1)". Then the XSS Auditor should block the execution of the injected onerror handler. But it does not.
Attachments
Patch and layout tests
(12.87 KB, patch)
2016-10-25 13:46 PDT
,
Daniel Bates
no flags
Details
Formatted Diff
Diff
View All
Add attachment
proposed patch, testcase, etc.
Daniel Bates
Comment 1
2016-10-25 13:44:38 PDT
<
rdar://problem/25962131
>
Daniel Bates
Comment 2
2016-10-25 13:46:17 PDT
Created
attachment 292815
[details]
Patch and layout tests
Daniel Bates
Comment 3
2016-10-25 15:10:10 PDT
Comment on
attachment 292815
[details]
Patch and layout tests Clearing flags on attachment: 292815 Committed
r207848
: <
http://trac.webkit.org/changeset/207848
>
Daniel Bates
Comment 4
2016-10-25 15:10:15 PDT
All reviewed patches have been landed. Closing bug.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug