[Webkit-unassigned] [Bug 68094] New: xssauditor - script block ending in comment can bypass auditor.
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Sep 14 11:21:15 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=68094
Summary: xssauditor - script block ending in comment can bypass
auditor.
Product: WebKit
Version: 528+ (Nightly build)
Platform: Unspecified
OS/Version: Unspecified
Status: NEW
Severity: Minor
Priority: P2
Component: WebKit Misc.
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: tsepez at chromium.org
CC: abarth at webkit.org, dbates at webkit.org
Blocks: 66579
Second part of https://bugs.webkit.org/show_bug.cgi?id=27895.
This is for the situation where the page contains a naturally-occurring close script tag on the same line as the injecton, e.g.
<img src="$q"><script>foo()</script>
where $q is the injected vector from the URL, typically ?q="><script>alert(0)//, yeilding
<img src=""><script>alert(0)//"><script>foo()</script>
and the comment removes the unparseable fragment from consideration by JS. xssauditor looking at the entire script block will fail to match because the "><script>foo() fragment isn't in the URL.
Unlike the inline case, entities aren't an issue here, but because of false positives, stopping on the first comment isn't likely to be acceptable. Many script blocks will begin with a comment, eg.
<script>
// Copyright (c) 2001 by some guy.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list