Created attachment 8862058 [details] Example POC File User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36 Steps to reproduce: - Open a fresh install of Firefox. - Load the attached html document - Enter the following into the input box: <img src=x onerror=alert(343)> - Click "Fire!" button - Observe no alert box appears - Reload the attached html document - Enter the following into the input box: <img src=x onerror=alert(343)>$ - Click "Fire!" button - Observe alert box now appears. Actual results: Alert box appears. I believe this is an example of mutation XSS. Expected results: Alert box should not appear.
(In reply to MechaTech84 from comment #0) > Alert box should not appear. Why? This is an issue with the webpage and how it uses user input in innerHTML without any filtering. Why is it a Firefox bug?
Sorry about this, I thought this was an issue with the dollar sign being used as an escape character. This can be closed, I had someone explain the issue with $' to me just now.