Closed
Bug 1397276
Opened 7 years ago
Closed 7 years ago
XSS through document.location when valid url has XSS payload at the end
Categories
(Firefox :: Untriaged, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: mateusz.krzeszowiec, Unassigned)
Details
Attachments
(1 file)
166 bytes,
text/html
|
Details |
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0 Build ID: 20170824053622 Steps to reproduce: Execute script that changes document.location that contains xss attack vector. Please click on the button in order to reproduce: <html> <body></body> <button onclick="window.location='https://www.google.com/?q=abc';;alert(1);''" >1</button> </html> Link to gist: https://gistpreview.github.io/?3fc52388c63dd0e1bf5a4225e1c24702 Actual results: alert(1) is executed and right after redirect happens Expected results: Firefox shouldn't parse window.location in this "dual" way, I believe that the right way would be to treat URL prefixed "javascript:" as pure javascript and if it's not javascript - not to attempt to execute payload in addition to redirect.
Comment 1•7 years ago
|
||
In both Chrome and Firefox, this markup: <button onclick="window.location='https://www.google.com/?q=abc';;alert(1);''" >1</button> is correctly read as HTML representing: <button onclick="window.location='https://www.google.com/?q=abc';;alert(1);''" >1</button> So if you ask for: document.querySelectorAll("button")[0].getAttribute("onclick") you get: "window.location='https://www.google.com/?q=abc';;alert(1);''" which gets executed as the body of a JS function being: window.location='https://www.google.com/?q=abc';; alert(1);'' (newlines for clarity mine). Which will cause the alert to run. If this happens in a web-app you are responsible for, then the solution is to not insert content you don't control as HTML / innerHTML without sanitizing/validating it. Not a bug, so unhiding and closing as invalid.
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•