Closed
Bug 362250
Opened 18 years ago
Closed 17 years ago
remove complete attribute on invalid attribute name.
Categories
(Core :: DOM: HTML Parser, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: BijuMailList, Assigned: mrbkap)
References
Details
Attachments
(1 file)
400 bytes,
text/html
|
Details |
remove complete attribute on invalid attribute name. credits to http://ha.ckers.org/xss.html If an attribute name of html tag contains invalid characters firefox now ignore them. ie <body onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")> is treated now as if it was <body onload=alert("XSS")> this will give a chance to expose poverly maintaiend site to XSS IMHO we should remove complete attribute on finding invalid attribute name. This wont be much different from <body =alert("XSS")> only valid space characters ( \r\n\t) should be present between attribute and value. Also why should we support (\0), is it a W3C standard, see this simple test open("data:text/html,xcxc%3Cbody%20onload%00%3Dalert%28%27XSS%27%29%3Excxcxc") we need to find statistics to know how many sites break if we stop supporting it PS: close this bug if it is against HTML sec. see attachment invalid_attr_xss.html
Updated•18 years ago
|
Assignee: nobody → mrbkap
Component: Layout → HTML: Parser
QA Contact: layout → parser
Comment 2•17 years ago
|
||
I think this has been fixed in bug 314980 and bug 315473.
Tested it again and found the bug was fixed.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Updated•17 years ago
|
Flags: in-testsuite?
You need to log in
before you can comment on or make changes to this bug.
Description
•