1397276 - XSS through document.location when valid url has XSS payload at the end

Status: RESOLVED INVALID

(Firefox :: Untriaged, defect)

Description

[mateusz.krzeszowiec]

Attachment: test2.html

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Build ID: 20170824053622

Steps to reproduce:

Execute script that changes document.location that contains xss attack vector. Please click on the button in order to reproduce:
<html>
<body></body>
<button onclick="window.location='https://www.google.com/?q=abc&#39;;;alert(1);&#39'" >1</button>
</html>

Link to gist: https://gistpreview.github.io/?3fc52388c63dd0e1bf5a4225e1c24702


Actual results:

alert(1) is executed and right after redirect happens


Expected results:

Firefox shouldn't parse window.location in this "dual" way, I believe that the right way would be to treat URL prefixed "javascript:" as pure javascript and if it's not javascript - not to attempt to execute payload in addition to redirect.

Comment 1

[:Gijs (he/him)]

In both Chrome and Firefox, this markup:

<button onclick="window.location='https://www.google.com/?q=abc&#39;;;alert(1);&#39;'" >1</button>

is correctly read as HTML representing:

<button onclick="window.location='https://www.google.com/?q=abc';;alert(1);''" >1</button>

So if you ask for:

document.querySelectorAll("button")[0].getAttribute("onclick")

you get:

"window.location='https://www.google.com/?q=abc';;alert(1);''"

which gets executed as the body of a JS function being:

window.location='https://www.google.com/?q=abc';;
alert(1);''

(newlines for clarity mine).

Which will cause the alert to run. If this happens in a web-app you are responsible for, then the solution is to not insert content you don't control as HTML / innerHTML without sanitizing/validating it.

Not a bug, so unhiding and closing as invalid.