[Webkit-unassigned] [Bug 26938] XSSAuditor should accommodate common, slight transformations.

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Jul 8 00:36:45 PDT 2009


https://bugs.webkit.org/show_bug.cgi?id=26938


Daniel Bates <dbates at berkeley.edu> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dbates at berkeley.edu




--- Comment #1 from Daniel Bates <dbates at berkeley.edu>  2009-07-08 00:36:44 PDT ---
Right. We are aware of this issue and it is among our list of improvements.
(In reply to comment #0)
> The reflective XSS filter landed in Bug #26199 is too strict in evaluating
> whether inputs were reflected back into the output.  If, for example, the
> server-side code does the equivalent of a PHP addslashes() on the input, then
> the following input will dodge the filter while still executing script:
> 
> <script>var bogus=/\/; alert(document.URL);</script>
> 
> The backslash will be doubled, resulting in an output that's subtly different
> than its input.
> 
> IE's filter accounts for such subtle differences between input and output using
> regular expressions, and perhaps we should do the same.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.



More information about the webkit-unassigned mailing list