[webkit-reviews] review requested: [Bug 27895] [XSSAuditor] Inline Event Handler with single-line JavaScript comment can bypass XSSAuditor : [Attachment 107246] Patch removing max snippet len truncation
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Sep 13 15:49:15 PDT 2011
Thomas Sepez <tsepez at chromium.org> has asked for review:
Bug 27895: [XSSAuditor] Inline Event Handler with single-line JavaScript
comment can bypass XSSAuditor
https://bugs.webkit.org/show_bug.cgi?id=27895
Attachment 107246: Patch removing max snippet len truncation
https://bugs.webkit.org/attachment.cgi?id=107246&action=review
------- Additional Comments from Thomas Sepez <tsepez at chromium.org>
Yes, the %xx case is a problem if it straddles the kMaximumSnippetLength
boundary. Need not be a surrogate pair, even a simple %2f (for example) if it
looses the final f won't parse, and the snippet will contain a % that the url
won't after it decodes. So I pulled the initial truncation.
More information about the webkit-reviews
mailing list