Test case: https://xenon.stanford.edu/~collinj/test/ie8xss/xsstest.php?q=<script>alert(/XSS/)//h%01</script>
Created attachment 32165 [details] Patch with test Upon further investigation, we need to remove null characters, since the HTMLTokenizer does in processing scripts (i.e. the contents of <script>al\0ert(1)</script> becomes alert(1) by the time it is passed to XSSAuditor). Let me know if this change is better addressed in a separate bug.
Comment on attachment 32165 [details] Patch with test Great patch. Thanks.
Sending LayoutTests/ChangeLog Adding LayoutTests/http/tests/security/xssAuditor/script-tag-control-char-expected.txt Adding LayoutTests/http/tests/security/xssAuditor/script-tag-control-char.html Adding LayoutTests/http/tests/security/xssAuditor/script-tag-null-char-expected.txt Adding LayoutTests/http/tests/security/xssAuditor/script-tag-null-char.html Sending WebCore/ChangeLog Sending WebCore/page/XSSAuditor.cpp Sending WebCore/page/XSSAuditor.h Sending WebCore/platform/network/ResourceResponseBase.cpp Sending WebCore/platform/network/ResourceResponseBase.h Transmitting file data .......... Committed revision 45461.