meta http-equiv headers in <body> are interpreted

VERIFIED WONTFIX

Status

()

Core
HTML: Parser
--
major
VERIFIED WONTFIX
15 years ago
14 years ago

People

(Reporter: Trammell Hudson, Assigned: harishd)

Tracking

Trunk
x86
All
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

15 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3) Gecko/20030312
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3) Gecko/20030312

w3c says that <META> tags are only allowed to appear in the <HEAD> section, but
Mozilla interprets them in the <BODY> section as well.  This allows a cracker to
craft mallicious blog postings or other user-supplied content that contains:

<meta http-equiv="REFRESH" CONTENT=0;URL='http://mozilla.org/'

Even with no closing >, Mozilla will follow the redirect.

Several blogs are already being hit with mallicious postings that redirect to
pr0n sites.  They filter HTML tags out of user supplied text with something akin
to 's/<.*?>//g', which would miss this attack.

Reproducible: Always

Steps to Reproduce:
1. Create a document with meta http-equiv="REFRESH" ... in the body
2. Open it with Mozilla
3. ???
4. Profit!

Actual Results:  
Mozilla followed the link in the body.

Expected Results:  
Ignored all META tags in the body.
confirmed. through to parser for a first pass.
Assignee: asa → harishd
Status: UNCONFIRMED → NEW
Component: Browser-General → Parser
Ever confirmed: true
OS: Linux → All
QA Contact: asa → dsirnapalli

Comment 2

15 years ago
This has been determined previously to be a WONTFIX due to the number of sites
that would break in Mozilla if it was fixed.  See bug 98700.

*** This bug has been marked as a duplicate of 98700 ***
Status: NEW → RESOLVED
Last Resolved: 15 years ago
Resolution: --- → DUPLICATE
not a duplicate. relevancy isn't that it's in body, but that it has no >.

however, this is wontfix. get a better content validator.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
Status: REOPENED → RESOLVED
Last Resolved: 15 years ago14 years ago
Resolution: --- → WONTFIX
Verified.  In HTML the closing '>' of a tag is actually optional in many
circumstances.  People who would filter HTML need to realize this and deal
appropriately.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.