[Webkit-unassigned] [Bug 68094] xssauditor - script block ending in comment can bypass auditor.
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Sep 22 10:28:27 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=68094
--- Comment #23 from Adam Barth <abarth at webkit.org> 2011-09-22 10:28:27 PST ---
(From update of attachment 108261)
View in context: https://bugs.webkit.org/attachment.cgi?id=108261&action=review
> Source/WebCore/html/parser/XSSAuditor.cpp:600
> + while (foundPosition < endPosition && !isHTMLSpace(string[foundPosition]))
> + foundPosition++;
I see. This could walk over a carefully-placed comment that was just after position kMaximumFragmentLengthTarget. Good catch sir.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list