User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3) Gecko/20030312 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3) Gecko/20030312 w3c says that <META> tags are only allowed to appear in the <HEAD> section, but Mozilla interprets them in the <BODY> section as well. This allows a cracker to craft mallicious blog postings or other user-supplied content that contains: <meta http-equiv="REFRESH" CONTENT=0;URL='http://mozilla.org/' Even with no closing >, Mozilla will follow the redirect. Several blogs are already being hit with mallicious postings that redirect to pr0n sites. They filter HTML tags out of user supplied text with something akin to 's/<.*?>//g', which would miss this attack. Reproducible: Always Steps to Reproduce: 1. Create a document with meta http-equiv="REFRESH" ... in the body 2. Open it with Mozilla 3. ??? 4. Profit! Actual Results: Mozilla followed the link in the body. Expected Results: Ignored all META tags in the body.
confirmed. through to parser for a first pass.
Assignee: asa → harishd
Status: UNCONFIRMED → NEW
Component: Browser-General → Parser
Ever confirmed: true
OS: Linux → All
QA Contact: asa → dsirnapalli
This has been determined previously to be a WONTFIX due to the number of sites that would break in Mozilla if it was fixed. See bug 98700. *** This bug has been marked as a duplicate of 98700 ***
Status: NEW → RESOLVED
Last Resolved: 15 years ago
Resolution: --- → DUPLICATE
not a duplicate. relevancy isn't that it's in body, but that it has no >. however, this is wontfix. get a better content validator.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
14 years ago
Status: REOPENED → RESOLVED
Last Resolved: 15 years ago → 14 years ago
Resolution: --- → WONTFIX
Verified. In HTML the closing '>' of a tag is actually optional in many circumstances. People who would filter HTML need to realize this and deal appropriately.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.