Script source code that contains non-ASCII characters may bypass the XSSAuditor. For example: http://eaea.sirdarckcat.net/xss.php?html_xss=%3Cimg+src=%220%22+onerror=%22/%80/;alert(document.domain)%22%3E http://eaea.sirdarckcat.net/xss.php?html_xss=%3Cimg+src='%80'+onerror=%27alert(document.domain)%27
Created attachment 39804 [details] Patch with test cases
Created attachment 39805 [details] Patch with test cases Added another test case: img-onerror-non-ASCII-char-default-encoding.html
Comment on attachment 39805 [details] Patch with test cases Thanks Dan. This looks great.
Comment on attachment 39805 [details] Patch with test cases Clearing flags on attachment: 39805 Committed r48564: <http://trac.webkit.org/changeset/48564>
All reviewed patches have been landed. Closing bug.