Reported by masatokinugawa, Today (10 hours ago)
The vector is:
Safari is OK.
Also Reported by kuzzcc, Yesterday (32 hours ago)
Chrome 19.0.1041.0 dev-m window xp sp3
Created attachment 128061 [details]
Comment on attachment 128061 [details]
Flipping to component security while I cobble together an example see if there's actually a hole here.
Ah. KURL vs. KURLgoogle again. KURLgoogle's protocolIs() will handle the ctrl characters, so no UXSS hole on setting frame.location. Good.
Created attachment 128349 [details]
Patch using Adam's suggested function. Also, the test now uses an <a href=""> rather than an <iframe src=""> since iframe src currently isn't exploitable. It flunks an origin test on chromium -- which is why this needs to be href in an a tag. Still waiting full testing completion.
Comment on attachment 128349 [details]
Clearing flags on attachment: 128349
Committed r108653: <http://trac.webkit.org/changeset/108653>
All reviewed patches have been landed. Closing bug.