XSS when passing a script activated with onclick

RESOLVED DUPLICATE of bug 528661

Status

()

Firefox
Untriaged
--
major
RESOLVED DUPLICATE of bug 528661
4 years ago
4 years ago

People

(Reporter: olucim, Unassigned)

Tracking

Trunk
x86_64
Windows 7
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

4 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36

Steps to reproduce:

Go to some url that puts a GET parameter into the DOM:
http://example.com?message=<div onclick="alert(document.getElementById('pass').value)">Click me to show Pass</div>


Actual results:

the onclick event let me execute the malicious code


Expected results:

the onclick should been rewritten as in chrome or IE (actually IE rewrites onclick with #nclick)
(Reporter)

Updated

4 years ago
Severity: normal → major

Comment 1

4 years ago
Hi olucim,

Firefox currently doesn't implement a xssfilter / XSS auditor like Chrome / IE. There is a feature bug to implement the filter. Sites which are vulnerable to XSS could use CSP to prevent a majority of XSS attacks by not allowing unsafe-inline / eval.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 528661

Updated

4 years ago
Group: core-security
You need to log in before you can comment on or make changes to this bug.