Closed Bug 1359906 Opened 7 years ago Closed 7 years ago

Mutation XSS - Escape syntax with $

Categories

(Firefox :: Untriaged, defect)

Product:
Firefox
Component:
Untriaged
Version:
52 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: MechaTech84, Unassigned)

Details

Attachments

(1 file)

Example POC File
1.10 KB, text/html
Details
Attached file Example POC File 
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36

Steps to reproduce:

- Open a fresh install of Firefox.
- Load the attached html document
- Enter the following into the input box: 

<img src=x onerror=alert(343)>

- Click "Fire!" button
- Observe no alert box appears
- Reload the attached html document
- Enter the following into the input box: 

<img src=x onerror=alert(343)>$

- Click "Fire!" button
- Observe alert box now appears.


Actual results:

Alert box appears. I believe this is an example of mutation XSS.


Expected results:

Alert box should not appear.
(In reply to MechaTech84 from comment #0)
> Alert box should not appear.

Why? This is an issue with the webpage and how it uses user input in innerHTML without any filtering. Why is it a Firefox bug?
Flags: needinfo?(MechaTech84)
Sorry about this, I thought this was an issue with the dollar sign being used as an escape character. This can be closed, I had someone explain the issue with $' to me just now.
Flags: needinfo?(MechaTech84)
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: