RESOLVED FIXED 26938
XSSAuditor should accommodate common, slight transformations. 
https://bugs.webkit.org/show_bug.cgi?id=26938
Summary XSSAuditor should accommodate common, slight transformations.
Matthew Murphy
Reported 2009-07-02 15:49:27 PDT
The reflective XSS filter landed in Bug #26199 is too strict in evaluating whether inputs were reflected back into the output. If, for example, the server-side code does the equivalent of a PHP addslashes() on the input, then the following input will dodge the filter while still executing script: <script>var bogus=/\/; alert(document.URL);</script> The backslash will be doubled, resulting in an output that's subtly different than its input. IE's filter accounts for such subtle differences between input and output using regular expressions, and perhaps we should do the same.
Attachments
Add attachment proposed patch, testcase, etc.
Daniel Bates
Comment 1 2009-07-08 00:36:44 PDT
Right. We are aware of this issue and it is among our list of improvements. (In reply to comment #0) > The reflective XSS filter landed in Bug #26199 is too strict in evaluating > whether inputs were reflected back into the output. If, for example, the > server-side code does the equivalent of a PHP addslashes() on the input, then > the following input will dodge the filter while still executing script: > > <script>var bogus=/\/; alert(document.URL);</script> > > The backslash will be doubled, resulting in an output that's subtly different > than its input. > > IE's filter accounts for such subtle differences between input and output using > regular expressions, and perhaps we should do the same.
Adam Barth
Comment 2 2009-07-22 16:28:48 PDT
Dan fixed this in http://trac.webkit.org/changeset/46250
Note You need to log in before you can comment on or make changes to this bug.