Bug 243588 - Parser bug can introduce mXSS and HTML sanitizers bypass
Summary: Parser bug can introduce mXSS and HTML sanitizers bypass
Status: RESOLVED CONFIGURATION CHANGED
Alias: None
Product: WebKit
Classification: Unclassified
Component: DOM (show other bugs)
Version: Safari 15
Hardware: Mac (Apple Silicon) macOS 12
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2022-08-05 08:04 PDT by Ahmad Saleem
Modified: 2022-08-06 00:05 PDT (History)
5 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ahmad Saleem 2022-08-05 08:04:11 PDT 
Hi Team,

I was dumpster diving again in Mozilla Bugzilla to identify any test cases in DOM Parser where Safari / Webkit might be different and then testing them across all browser to ensure that Webkit can get to be more web-compatible and came across following test case:

Test Case Link - https://jsbin.com/yomabutoze/edit?html,output

Mozilla Bug - https://bugzilla.mozilla.org/show_bug.cgi?id=1598466

Chrome Bug - https://bugs.chromium.org/p/chromium/issues/detail?id=1005713

Some Blog Post - https://research.securitum.com/dompurify-bypass-using-mxss/

Web-Spec Chrome Discussion - https://bugs.chromium.org/p/chromium/issues/detail?id=1005713#c10

Commit - https://chromium.googlesource.com/chromium/src.git/+/d16226271d4d501de19f019aba1c145930b45503

*** STEPS TO REPRODUCE ***

1) Open Test Case Link
2) Notice Behavior

<< ACTUAL RESULT >>

Safari get dialog with '1' value

<< EXPECTED RESULT >>

No Dialog box similar to other browsers.

___

Appreciate if this can be fixed so there is no dialog box similar to other browsers.

Thanks
Comment 1 Radar WebKit Bug Importer 2022-08-05 14:28:33 PDT 
<rdar://problem/98212299>
Comment 2 Ryosuke Niwa 2022-08-06 00:05:32 PDT 
Chris recently fixed this.