[Webkit-unassigned] [Bug 90667] New: HTML extensions to String.prototype shouldn escape " as " in argument values
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Jul 6 01:51:02 PDT 2012
https://bugs.webkit.org/show_bug.cgi?id=90667
Summary: HTML extensions to String.prototype shouldn escape "
as " in argument values
Product: WebKit
Version: 528+ (Nightly build)
Platform: Unspecified
URL: http://mathias.html5.org/tests/javascript/string/
OS/Version: Unspecified
Status: UNCONFIRMED
Severity: Normal
Priority: P2
Component: JavaScriptCore
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: mathias at qiwi.be
CC: peter at chromium.org
Currently:
> '_'.link('a"b')
'<a href="a"b">_</a>'
Expected result:
> '_'.link('a"b')
'<a href="a"b">_</a>'
The problem here is JSC doesn’t escape " into " at the moment, which is a potential security risk (XSS vector).
For this reason, Chrome/V8 escapes " into ". Firefox/Spidermonkey is going to change its behavior to do the same: https://bugzilla.mozilla.org/show_bug.cgi?id=352437 Opera/Carakan will change its behavior too, as soon as other browsers change (bug DSK-369206).
http://mathias.html5.org/specs/javascript/#escapeattributevalue requires escaping the ".
Tests: http://mathias.html5.org/tests/javascript/string/
Here’s a list of the methods that have this issue:
* String.prototype.anchor(name)
* String.prototype.fontcolor(color)
* String.prototype.fontsize(size)
* String.prototype.link(href)
See http://trac.webkit.org/browser/trunk/Source/JavaScriptCore/runtime/StringPrototype.cpp.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list