There is a weird bug that happens when typing In the Search Field for Webkit-based browsers.
Typing in "return false" results in a blank window instance.
Typing in "return true" will return a search results page from Default Search Provider (Google, Bing, Yahoo!).
I cannot reproduce this in Safari 5.0.2.
Created attachment 73356 [details]
Character for Character to be typed in Search Field.
This only happens with Google AFAICT, and it also happens when searching from <http://www.google.com/>.
I still cannot reproduce. Maybe the Russian version of google.com doesn't have this issue.
> This only happens with Google AFAICT, and it also happens when searching from
Does this happen with spoofed UA?
Also, is there any console output? Redirect to about:blank is a common symptom of XSS Auditor being unhappy with a site.
No problem with Safari Mobile surprisingly.
I was unable to reproduce this issue by searching for "return false" using Safari's built-in search or searching for a single query directly from http://www.google.com.
After playing with the live search on Google.com, I was able to reproduce this issue with the following URL: <http://www.google.com/search?client=safari&rls=en&q=return+true;&ie=UTF-8&oe=UTF-8#sclient=psy&hl=en&client=safari&rls=en&q=creating-a-polaroid-effect-with-css%3B+%22return+false%22&aq=f&aqi=&aql=&oq=&gs_rfai=&pbx=1&fp=6e8733203d1b4e27>. Simplifying this URL we have: <http://www.google.com/search?&q=return+true;#%22return+false%22>.
This bug demonstrates a false positive.
Notice, for certain queries (e.g. <http://www.google.com/search?&q=return+true;>) Google will show a hyperlink of the form "Show more results from return-true.com" that has an onclick inline event handler whose value is "return false" (e.g. <a href="..." onclick="return false">Show more results from return-true.com</a>). Constructing a query that includes the phrase "return false" such that the search results page has a "Show more results from ..." hyperlink will result in the XSS Auditor blocking the registration of the onclick event handler since its value ("return false") appears in the URL. And because Google.com requests full-page blocking (i.e. HTTP header "X-XSS-Protection: 1; mode=block") we redirect to about:blank when we detect that the source code of the inline event handler is a substring of the page URL.
For what it’s worth, I was seeing this behavior only when signed in to an account. After signing out it stopped. I’m not sure how that changes what Google does.
Yes, that exactly matches my results - I can only see this when logged in.
The URL (after entering the search phrase in Safari search bar) was <http://www.google.com/search?client=safari&rls=en&q=%22return+false%22&ie=UTF-8&oe=UTF-8>.
> Constructing a query that includes the phrase "return false" such that the search results page has a "Show more results from ..." hyperlink will result in the XSS Auditor blocking the registration of the onclick event handler since its value ("return false") appears in the URL.
Yes, that's where "return false" is indeed. One difference from your analysis is that the hyperlink is invisible for me, being in a display:none div.
This bug is fixed by the new XSS auditor architecture.