RESOLVED FIXED 66580
XSS Filter Bypass with long strings 
https://bugs.webkit.org/show_bug.cgi?id=66580
Summary XSS Filter Bypass with long strings
Adam Barth
Reported 2011-08-19 13:50:24 PDT
Created attachment 104557 [details] test case http://code.google.com/p/chromium/issues/detail?id=77731 VULNERABILITY DETAILS On pages that render a large amount of user input it is possible to bypass the XSS filter. VERSION Chrome Version: 11.0.696.25 beta Operating System: Windows Vista SP2 REPRODUCTION CASE The attachment contains two files: a PHP file and an HTML file. Host the PHP file and update the form action in the HTML file to point to it. Open a new chrome tab and navigate to the HTML file. xss-filter-bypass.zip 890 bytes Download
Attachments
test case (890 bytes, application/zip)
2011-08-19 13:50 PDT, Adam Barth 		no flags
Details
Static version of post response (20.15 KB, text/plain)
2011-09-02 12:36 PDT, Thomas Sepez 		no flags
Details
Proposed TestCase (47.95 KB, patch)
2011-09-02 14:08 PDT, Thomas Sepez 		no flags
DetailsFormatted DiffDiff
Proposed test case with "" typo removed. (47.95 KB, patch)
2011-09-02 14:13 PDT, Thomas Sepez 		no flags
DetailsFormatted DiffDiff
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.
Thomas Sepez
Comment 1 2011-09-02 12:35:11 PDT
Adam, DNR using chrome 14 on linux. Didn't have php, but using a static file who's output matches what we'd expect from your static input file. Console reports the xss filter caught it. I'll add my static output as an attachment.
Thomas Sepez
Comment 2 2011-09-02 12:36:29 PDT
Created attachment 106176 [details] Static version of post response
Adam Barth
Comment 3 2011-09-02 12:38:38 PDT
Yeah, I think I fixed in an earlier patch. We probably should convert your static test to a LayoutTest and close this bug.
Thomas Sepez
Comment 4 2011-09-02 14:08:08 PDT
Created attachment 106195 [details] Proposed TestCase
Thomas Sepez
Comment 5 2011-09-02 14:13:29 PDT
Created attachment 106196 [details] Proposed test case with "" typo removed.
WebKit Review Bot
Comment 6 2011-09-02 14:57:03 PDT
Comment on attachment 106196 [details] Proposed test case with "" typo removed. Clearing flags on attachment: 106196 Committed r94451: <http://trac.webkit.org/changeset/94451>
WebKit Review Bot
Comment 7 2011-09-02 14:57:09 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.