Closed Bug 1229887 Opened 9 years ago Closed 9 years ago

XSS hazard: HTML body text interpolated as <script> content through backticks

Categories

(Core :: DOM: HTML Parser, defect)

Product:
Core
Component:
DOM: HTML Parser
Version:
43 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: dveditz, Unassigned)

Details

Attachments

(2 files)

alerttest.html
43 bytes, text/html
Details
Original PoC
138 bytes, text/html
Details
Attached file alerttest.html 
serazoli reported odd behavior to the security alias: HTML body text is being interpolated into a script tag due to backticks. A document consisting of:

  alert('aaa');             
  `<script src=""></script>`

Will display the expected body text

   alert('aaa')` `

but it will also unexpectedly fire the alert.

I didn't think that was how ES6 template strings worked, and in any case this is HTML body text and not in JS.
My expected results text above is wrong, Firefox does also show the semi-colon as you'd expect (see the attachment).

Henri: any idea what the parser is doing here?
Flags: needinfo?(hsivonen)
Attached file Original PoC 
The original PoC had quite a bit more HTML markup inside the grave-quoted string between the alert text and the script tag. I edited it down for a minimal testcase but it's somewhat interesting to see how far back the script tag can reach.
Oh!  Right!  Jesse pointed out to me that <script src=""></script> resolves the empty-string location to the current location.  So then you have an HTML page with some garbage text that includes a script element that loads the page as a script.  Then the page source evaluates an alert() call as one expression/statement, then evaluates a template string containing a script element with no observable side effect.

So, this is working basically the way it should.  The weird thing is that src="" will load the current page as a script.  Once you do that, you get whatever is in the current page, that happens to evaluate as a script.  I don't think, once you set aside the load of a script with executable contents, there's anything worrisomely XSS about this.
Flags: needinfo?(hsivonen)
Thanks Jesse! 

In a real page that someone's trying to XSS there's a vanishingly small chance that the entire page will correctly evaluate as a syntactically valid script, and any syntax error prevents execution of anything.

The given testcase doesn't work on Chrome (maybe they don't support ` strings yet), and apparently they don't treat src="" as a self-reference, but with a minor modification this behavior works in other browsers, at least when loaded from a file: url. I've heard Chrome is going to require (has?) correct Content-Type for <script> source files, but that has to be relaxed for file: urls.

  alert('aaa');
  ' <script src="#foo"></script> '    

Surprising behavior, but makes sense in hindsight.
Group: core-security
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: