XSS through document.location when valid url has XSS payload at the end

RESOLVED INVALID

Status

()

RESOLVED INVALID
a year ago
a year ago

People

(Reporter: mateusz.krzeszowiec, Unassigned)

Tracking

55 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

a year ago
Created attachment 8905036 [details]
test2.html

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Build ID: 20170824053622

Steps to reproduce:

Execute script that changes document.location that contains xss attack vector. Please click on the button in order to reproduce:
<html>
<body></body>
<button onclick="window.location='https://www.google.com/?q=abc&#39;;;alert(1);&#39'" >1</button>
</html>

Link to gist: https://gistpreview.github.io/?3fc52388c63dd0e1bf5a4225e1c24702


Actual results:

alert(1) is executed and right after redirect happens


Expected results:

Firefox shouldn't parse window.location in this "dual" way, I believe that the right way would be to treat URL prefixed "javascript:" as pure javascript and if it's not javascript - not to attempt to execute payload in addition to redirect.

Comment 1

a year ago
In both Chrome and Firefox, this markup:

<button onclick="window.location='https://www.google.com/?q=abc&#39;;;alert(1);&#39;'" >1</button>

is correctly read as HTML representing:

<button onclick="window.location='https://www.google.com/?q=abc';;alert(1);''" >1</button>

So if you ask for:

document.querySelectorAll("button")[0].getAttribute("onclick")

you get:

"window.location='https://www.google.com/?q=abc';;alert(1);''"

which gets executed as the body of a JS function being:

window.location='https://www.google.com/?q=abc';;
alert(1);''

(newlines for clarity mine).

Which will cause the alert to run. If this happens in a web-app you are responsible for, then the solution is to not insert content you don't control as HTML / innerHTML without sanitizing/validating it.

Not a bug, so unhiding and closing as invalid.
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Last Resolved: a year ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.