Consider a page A.html with the following markup: <!DOCTYPE html> <html> <body> <script>document.write(unescape(window.location));</script> </body> </html> Suppose you navigate to "A.html?<img src=1 onerror=alert(1)". Then the XSS Auditor should block the execution of the injected onerror handler. But it does not.
<rdar://problem/25962131>
Created attachment 292815 [details] Patch and layout tests
Comment on attachment 292815 [details] Patch and layout tests Clearing flags on attachment: 292815 Committed r207848: <http://trac.webkit.org/changeset/207848>
All reviewed patches have been landed. Closing bug.