RESOLVED FIXED 29944
[XSSAuditor] Reduce false positives by checking for illegal URI characters 
https://bugs.webkit.org/show_bug.cgi?id=29944
Summary [XSSAuditor] Reduce false positives by checking for illegal URI characters
Daniel Bates
Reported 2009-09-30 18:06:07 PDT
We can reduce the number of false positives for both inline script- and inline event handler- based attacks by explicitly allowing requests that do not contain the characters described in section 2.4.3 of RFC 2396 <http://www.faqs.org/rfcs/rfc2396.html> in addition to the single quote character "'". That is, the following characters cannot appear in a valid URI: ', ", <, >. If the request does not contain these characters then we can assume that no inline scripts have been injected into response page, because it is impossible to write an inline script of the form <script>...</script> without "<", ">". With regards to an injection of an inline event handler, we believe that the majority of such injections occur as part of breaking out of a quoted property and thus a request that does not contain a single or double quote can be allowed. However, this decision causes the following test cases to fail: property-inject.html, property-escape-noquotes.html, and property-escape-noquotes-tab-slash-chars.html. We should address these in a separate update.
Attachments
Patch with test cases and rebased test cases (16.06 KB, patch)
2009-09-30 18:13 PDT, Daniel Bates 		abarth: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Daniel Bates
Comment 1 2009-09-30 18:13:09 PDT
Created attachment 40415 [details] Patch with test cases and rebased test cases Also includes a minor formatting change.
Adam Barth
Comment 2 2009-09-30 18:44:11 PDT
Comment on attachment 40415 [details] Patch with test cases and rebased test cases Great. Thanks Dan.
Daniel Bates
Comment 3 2009-09-30 22:56:28 PDT
Committed r48961: <http://trac.webkit.org/changeset/48961>
Daniel Bates
Comment 4 2014-02-11 12:29:46 PST
(In reply to comment #0) > [...] > With regards to an injection of an inline event handler, we believe that the majority of such injections occur as part of breaking out of a quoted property and thus a request that does not contain a single or double quote can be allowed. However, this decision causes the following test cases to fail: property-inject.html, property-escape-noquotes.html, and property-escape-noquotes-tab-slash-chars.html. We should address these in a separate update. See bug #127853.
Note You need to log in before you can comment on or make changes to this bug.