[Webkit-unassigned] [Bug 29944] New: [XSSAuditor] Reduce false positives by checking for illegal URI characters

Wed Sep 30 18:06:07 PDT 2009

https://bugs.webkit.org/show_bug.cgi?id=29944

           Summary: [XSSAuditor] Reduce false positives by checking for
                    illegal URI characters
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: All
        OS/Version: All
            Status: NEW
          Keywords: XSSAuditor
          Severity: Normal
          Priority: P2
         Component: WebCore Misc.
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: dbates at webkit.org
                CC: sam at webkit.org, abarth at webkit.org

We can reduce the number of false positives for both inline script- and inline
event handler- based attacks by explicitly allowing requests that do not
contain the characters described in section 2.4.3 of RFC 2396
<http://www.faqs.org/rfcs/rfc2396.html> in addition to the single quote
character "'". That is, the following characters cannot appear in a valid URI:
', ", <, >.

If the request does not contain these characters then we can assume that no
inline scripts have been injected into response page, because it is impossible
to write an inline script of the form <script>...</script> without "<", ">".

With regards to an injection of an inline event handler, we believe that the
majority of such injections occur as part of breaking out of a quoted property
and thus a request that does not contain a single or double quote can be
allowed. However, this decision causes the following test cases to fail:
property-inject.html, property-escape-noquotes.html, and
property-escape-noquotes-tab-slash-chars.html. We should address these in a
separate update.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.