Status

()

Firefox
Untriaged
RESOLVED INVALID
2 months ago
2 months ago

People

(Reporter: freethinkworld, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

2 months ago
User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36

Steps to reproduce:

Today when I was concerned about the bug in Google Chrome, I found the same problem in firefox。
<?php
header('X-XSS-Protection: 1; mode=block');
echo "<!DOCTYPE html><html><head></head><body>{$_GET['html']}</body></html>";
?>
http://127.0.0.1/xss.php?html=%3Cscript%3Ealert(1);%3C/script%20


Actual results:

The space before `</body>` is important, so the browser can determine  a new tag is being open, and "auto closes" the script tag and a bomb box appears


Expected results:

XSS Auditor Bypass with partial closing script tag

Comment 1

2 months ago
Did you report this issue to Chrome? Can you link to the ticket?
Flags: needinfo?(freethinkworld)
(Reporter)

Comment 2

2 months ago
(In reply to :Gijs from comment #1)
> Did you report this issue to Chrome? Can you link to the ticket?


No, because someone has submitted this bug to Google. I just think of this bug when thinking of whether there is such a problem in firefox.
The link is https://bugs.chromium.org/p/chromium/issues/detail?id=742459
Flags: needinfo?(freethinkworld)

Comment 3

2 months ago
We don't have an "XSS auditor", and so this isn't a bug in Firefox. Consider using CSP for defense-in-depth against XSS.
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 months ago
Resolution: --- → INVALID

Comment 4

2 months ago
bug 528661 covers adding support for X-XSS-Protection, but right now it seems unlikely it'll happen, as CSP is much more broadly supported and offers more control.
(Reporter)

Comment 5

2 months ago
Well, I know thank you for your answer
You need to log in before you can comment on or make changes to this bug.