[Webkit-unassigned] [Bug 26938] New: XSSAuditor should accommodate common, slight transformations.

Thu Jul 2 15:49:27 PDT 2009

https://bugs.webkit.org/show_bug.cgi?id=26938

           Summary: XSSAuditor should accommodate common, slight
                    transformations.
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: matthew.murphy at apple.com

The reflective XSS filter landed in Bug #26199 is too strict in evaluating
whether inputs were reflected back into the output.  If, for example, the
server-side code does the equivalent of a PHP addslashes() on the input, then
the following input will dodge the filter while still executing script:

<script>var bogus=/\/; alert(document.URL);</script>

The backslash will be doubled, resulting in an output that's subtly different
than its input.

IE's filter accounts for such subtle differences between input and output using
regular expressions, and perhaps we should do the same.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.