[Webkit-unassigned] [Bug 66585] XSS filter bypass via document.write(location.href) and fragments
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Aug 24 11:43:01 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=66585
--- Comment #1 from Daniel Bates <dbates at webkit.org> 2011-08-24 11:43:02 PST ---
I am unable to reproduce this issue using either Safari- or Chrome- for Mac, Version 5.1 (7534.48.3, r93670) and 14.0.835.109 beta, respectively.
Are there any additional details?
I did notice that Chrome doesn't visibly encode the fragment portion of the URL which is consistent with both the description of this bug as well as reiterated in <http://code.google.com/p/chromium/issues/detail?id=76796#c7>. When running the example in Chrome, we attempt to construct the HTML Script Element. The XSS Auditor detects this and scrubs the contents of the <script>.
In comparison, in Safari the fragment portion of the URL is encoded and hence we don't interpret as HTML markup.
For completeness, we have some test coverage for DOM-based XSS via window.location. For example, <http://trac.webkit.org/browser/trunk/LayoutTests/http/tests/security/xssAuditor/dom-write-location.html>.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list