[Webkit-unassigned] [Bug 29523] New: [XSSAuditor] JavaScript URLs that are URL-encoded twice can by bypass the XSSAuditor

Sat Sep 19 14:50:49 PDT 2009

https://bugs.webkit.org/show_bug.cgi?id=29523

           Summary: [XSSAuditor] JavaScript URLs that are URL-encoded
                    twice can by bypass the XSSAuditor
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: All
               URL: http://eaea.sirdarckcat.net/xss.php?html_xss=<iframe+s
                    rc="javascript:'1%25251';alert(document.domain)">
        OS/Version: All
            Status: NEW
          Keywords: XSSAuditor
          Severity: Normal
          Priority: P2
         Component: WebCore Misc.
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: dbates at webkit.org
                CC: mario.heiderich at gmail.com, sam at webkit.org,
                    abarth at webkit.org
            Blocks: 29278

The method FrameLoader::executeIfJavaScriptURL decodes the URL escape sequences
in a JavaScript URL before it is eventually passed to the XSSAuditor. Because
the XSSAuditor also decodes the URL escape sequences as part of its
canonicalization, the double decoding of a JavaScript URL would not match the
canonicalization of the input parameters.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.