We can reduce the number of false positives for both inline script- and inline event handler- based attacks by explicitly allowing requests that do not contain the characters described in section 2.4.3 of RFC 2396 <http://www.faqs.org/rfcs/rfc2396.html> in addition to the single quote character "'". That is, the following characters cannot appear in a valid URI: ', ", <, >. If the request does not contain these characters then we can assume that no inline scripts have been injected into response page, because it is impossible to write an inline script of the form <script>...</script> without "<", ">". With regards to an injection of an inline event handler, we believe that the majority of such injections occur as part of breaking out of a quoted property and thus a request that does not contain a single or double quote can be allowed. However, this decision causes the following test cases to fail: property-inject.html, property-escape-noquotes.html, and property-escape-noquotes-tab-slash-chars.html. We should address these in a separate update.
Created attachment 40415 [details] Patch with test cases and rebased test cases Also includes a minor formatting change.
Comment on attachment 40415 [details] Patch with test cases and rebased test cases Great. Thanks Dan.
Committed r48961: <http://trac.webkit.org/changeset/48961>
(In reply to comment #0) > [...] > With regards to an injection of an inline event handler, we believe that the majority of such injections occur as part of breaking out of a quoted property and thus a request that does not contain a single or double quote can be allowed. However, this decision causes the following test cases to fail: property-inject.html, property-escape-noquotes.html, and property-escape-noquotes-tab-slash-chars.html. We should address these in a separate update. See bug #127853.