[Webkit-unassigned] [Bug 130475] New: XSS Auditor doesn't block <script> injected before an existing <script>
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Mar 19 14:20:26 PDT 2014
https://bugs.webkit.org/show_bug.cgi?id=130475
Summary: XSS Auditor doesn't block <script> injected before an
existing <script>
Product: WebKit
Version: 528+ (Nightly build)
Platform: All
URL: http://demofaast.elevenpaths.com:9002/xssbypass/script
bypass.php?value=%3Cscript%3Ealert%28%22Bypass%20Messa
ge%22%29
OS/Version: All
Status: NEW
Severity: Normal
Priority: P2
Component: WebCore Misc.
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: dbates at webkit.org
CC: abarth at webkit.org, tsepez at chromium.org
Without loss of generality, consider a page with the following PHP markup:
<!DOCTYPE html>
<html>
<body>
<?php echo $_GET["q"] ?><script>function dummy() {}</script>
</body>
</html>
Take q := "<script>alert(/XSS/)". Then the page displays a JavaScript alert with message "/XSS/".
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list