Mutation XSS - Escape syntax with $

RESOLVED INVALID

Status

()

Firefox
Untriaged
RESOLVED INVALID
8 months ago
8 months ago

People

(Reporter: MechaTech84, Unassigned)

Tracking

52 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

8 months ago
Created attachment 8862058 [details]
Example POC File

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36

Steps to reproduce:

- Open a fresh install of Firefox.
- Load the attached html document
- Enter the following into the input box: 

<img src=x onerror=alert(343)>

- Click "Fire!" button
- Observe no alert box appears
- Reload the attached html document
- Enter the following into the input box: 

<img src=x onerror=alert(343)>$

- Click "Fire!" button
- Observe alert box now appears.


Actual results:

Alert box appears. I believe this is an example of mutation XSS.


Expected results:

Alert box should not appear.

Comment 1

8 months ago
(In reply to MechaTech84 from comment #0)
> Alert box should not appear.

Why? This is an issue with the webpage and how it uses user input in innerHTML without any filtering. Why is it a Firefox bug?
Flags: needinfo?(MechaTech84)
(Reporter)

Comment 2

8 months ago
Sorry about this, I thought this was an issue with the dollar sign being used as an escape character. This can be closed, I had someone explain the issue with $' to me just now.
Flags: needinfo?(MechaTech84)

Updated

8 months ago
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 8 months ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.