[Webkit-unassigned] [Bug 49235]=?UTF-8?Q?=20Searching=20for=20=E2=80=9Creturn=20false=E2=80=9D=20?=(including double-quotes) on google.com results in redirect to about:blank

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Nov 9 23:47:28 PST 2010 

https://bugs.webkit.org/show_bug.cgi?id=49235


Daniel Bates <dbates at webkit.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |XSSAuditor
          Component|New Bugs                    |WebCore Misc.
                 CC|                            |abarth at webkit.org




--- Comment #7 from Daniel Bates <dbates at webkit.org>  2010-11-09 23:47:27 PST ---
I was unable to reproduce this issue by searching for "return false" using Safari's built-in search or searching for a single query directly from http://www.google.com.

After playing with the live search on Google.com, I was able to reproduce this issue with the following URL: <http://www.google.com/search?client=safari&rls=en&q=return+true;&ie=UTF-8&oe=UTF-8#sclient=psy&hl=en&client=safari&rls=en&q=creating-a-polaroid-effect-with-css%3B+%22return+false%22&aq=f&aqi=&aql=&oq=&gs_rfai=&pbx=1&fp=6e8733203d1b4e27>. Simplifying this URL we have: <http://www.google.com/search?&q=return+true;#%22return+false%22>.

This bug demonstrates a false positive.

Notice, for certain queries (e.g. <http://www.google.com/search?&q=return+true;>) Google will show a hyperlink of the form "Show more results from return-true.com" that has an onclick inline event handler whose value is "return false" (e.g. <a href="..." onclick="return false">Show more results from return-true.com</a>). Constructing a query that includes the phrase "return false" such that the search results page has a "Show more results from ..." hyperlink will result in the XSS Auditor blocking the registration of the onclick event handler since its value ("return false") appears in the URL. And because Google.com requests full-page blocking (i.e. HTTP header "X-XSS-Protection: 1; mode=block") we redirect to about:blank when we detect that the source code of the inline event handler is a substring of the page URL.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list