Originally reported by masatokinugawa at http://code.google.com/p/chromium/issues/detail?id=114641 Reflected vectors are of the form: ?xss=%3Csvg%3E%3Cscript%3E//%26%23x0A%3Balert(1)%3C/script%3E ?xss=%3Csvg%3E%3Cscript%3E//%26%23x0D%3Balert(1)%3C/script%3E ?xss=%3Csvg%3E%3Cscript%3E//%26%23x2028%3Balert(1)%3C/script%3E ?xss=%3Csvg%3E%3Cscript%3E//%26%23x2029%3Balert(1)%3C/script%3E ?xss=%3Csvg%3E%3Cscript%3E/**%26%23x2F%3Balert(1)%3C/script%3E SVG is XML and hence the entities get decoded during parsing.
Probably the right way to fix this is for xssauditor to know when it is in an SVG block vs. an ordinary script block, and apply html entity decoding to match the HTML vs. XML expectations. Trying to always html entity decode will open up vulns in the HTML case.
Created attachment 127672 [details] First cut at Patch -- needs more analysis.
Created attachment 128037 [details] Patch for initial review (needs more testing before commit).
So the idea in patch #2 is that the state of initial token / after scrip tag goes away, and is replaced by a count of the depth of the script blocks (which is cheaper than trying to keep a stack of tags).
Comment on attachment 128037 [details] Patch for initial review (needs more testing before commit). View in context: https://bugs.webkit.org/attachment.cgi?id=128037&action=review This looks fantastic. Thanks. > Source/WebCore/html/parser/XSSAuditor.cpp:586 > + break; bad indent
Created attachment 128269 [details] Patch + indent fix. Let's try to land this to avoid merging around it.
Comment on attachment 128269 [details] Patch + indent fix. Clearing flags on attachment: 128269 Committed r108551: <http://trac.webkit.org/changeset/108551>
All reviewed patches have been landed. Closing bug.