Bug 78732 - XSS Auditor bypass with U+2028/2029
Summary: XSS Auditor bypass with U+2028/2029
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Thomas Sepez
URL:
Keywords: XSSAuditor
Depends on:
Blocks:
 
Reported: 2012-02-15 13:14 PST by Thomas Sepez
Modified: 2012-02-16 12:30 PST (History)
3 users (show)

See Also:


Attachments
Patch. (3.93 KB, patch)
2012-02-15 14:59 PST, Thomas Sepez
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Sepez 2012-02-15 13:14:56 PST
Originally reported by masatokinugawa at http://code.google.com/p/chromium/issues/detail?id=114346

The attacker can bypass XSS Auditor. 
Chrome Version: 17.0.963.46 stable affected.
Safari 5.1.2 is OK.

The reflected vector is: ?xss=%3Cscript%3E//%E2%80%A9alert(1)%3C/script%3E
<script>//[U+2028 or 2029]alert(1)</script>
Comment 1 Thomas Sepez 2012-02-15 14:59:41 PST
Created attachment 127245 [details]
Patch.
Comment 2 WebKit Review Bot 2012-02-16 11:44:41 PST
Comment on attachment 127245 [details]
Patch.

Rejecting attachment 127245 [details] from commit-queue.

tsepez@chromium.org does not have committer permissions according to http://trac.webkit.org/browser/trunk/Tools/Scripts/webkitpy/common/config/committers.py.

- If you do not have committer rights please read http://webkit.org/coding/contributing.html for instructions on how to use bugzilla flags.

- If you have committer rights please correct the error in Tools/Scripts/webkitpy/common/config/committers.py by adding yourself to the file (no review needed).  The commit-queue restarts itself every 2 hours.  After restart the commit-queue will correctly respect your committer rights.
Comment 3 WebKit Review Bot 2012-02-16 12:30:25 PST
Comment on attachment 127245 [details]
Patch.

Clearing flags on attachment: 127245

Committed r107967: <http://trac.webkit.org/changeset/107967>
Comment 4 WebKit Review Bot 2012-02-16 12:30:29 PST
All reviewed patches have been landed.  Closing bug.