[webkit-reviews] review denied: [Bug 27895] [XSSAuditor] Inline Event Handler with single-line JavaScript comment can bypass XSSAuditor : [Attachment 41022] Patch with test cases
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Oct 12 09:24:48 PDT 2009
Adam Barth <abarth at webkit.org> has denied Daniel Bates <dbates at webkit.org>'s
request for review:
Bug 27895: [XSSAuditor] Inline Event Handler with single-line JavaScript
comment can bypass XSSAuditor
https://bugs.webkit.org/show_bug.cgi?id=27895
Attachment 41022: Patch with test cases
https://bugs.webkit.org/attachment.cgi?id=41022&action=review
------- Additional Comments from Adam Barth <abarth at webkit.org>
I think there is a subtle bug with this patch. Imagine that an HTML entity is
straddling the 7th character:
/*xx©*/alert(/xss);
When we substring, we'll get
/*xx&co
and the entity won't decode and the string won't match.
We need to canonicalize() first before calling substring...
More information about the webkit-reviews
mailing list