When decoding HTML entities (XSSAuditor::decodeHTMLEntities), the ampersand is removed and the supposed entity is consumed. If the entity turns out to be invalid, such as an unknown named entity, then a null-character is inserted into the decoded result, which creates a discrepancy between the script code and the HTTP parameters. Consider: Inline Event Handler: http://webblaze.org/dbates/xsstest.php?q=%3Ca%20href='http://www.webblaze.org'%20onclick='alert(/%26XSS/)'%3EClick%3C/a%3E JavaScript Link: http://webblaze.org/dbates/xsstest.php?q=%3Ca%20href=javascript:alert(/%26XSS/)%3EClick%3C/a%3E
Created attachment 33007 [details] Patch with tests
Comment on attachment 33007 [details] Patch with tests Yes.
Committing to http://svn.webkit.org/repository/webkit/trunk ... M LayoutTests/ChangeLog A LayoutTests/http/tests/security/xssAuditor/javascript-link-ampersand-expected.txt A LayoutTests/http/tests/security/xssAuditor/javascript-link-ampersand.html A LayoutTests/http/tests/security/xssAuditor/link-onclick-ampersand-expected.txt A LayoutTests/http/tests/security/xssAuditor/link-onclick-ampersand.html M WebCore/ChangeLog M WebCore/page/XSSAuditor.cpp Committed r46086 M WebCore/ChangeLog M WebCore/page/XSSAuditor.cpp A LayoutTests/http/tests/security/xssAuditor/link-onclick-ampersand-expected.txt A LayoutTests/http/tests/security/xssAuditor/link-onclick-ampersand.html A LayoutTests/http/tests/security/xssAuditor/javascript-link-ampersand-expected.txt A LayoutTests/http/tests/security/xssAuditor/javascript-link-ampersand.html M LayoutTests/ChangeLog r46086 = 209a4aa2f77640ff10c4bb3e541c94cc9ee1a53d (trunk) No changes between current HEAD and refs/remotes/trunk Resetting to the latest refs/remotes/trunk http://trac.webkit.org/changeset/46086