Closed Bug 362250 Opened 19 years ago Closed 18 years ago

remove complete attribute on invalid attribute name.

Categories

(Core :: DOM: HTML Parser, defect)

Product:
Core
Component:
DOM: HTML Parser
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: BijuMailList, Assigned: mrbkap)

References

Details

Attachments

(1 file)

invalid_attr_xss.html
400 bytes, text/html
Details
remove complete attribute on invalid attribute name. credits to http://ha.ckers.org/xss.html If an attribute name of html tag contains invalid characters firefox now ignore them. ie <body onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")> is treated now as if it was <body onload=alert("XSS")> this will give a chance to expose poverly maintaiend site to XSS IMHO we should remove complete attribute on finding invalid attribute name. This wont be much different from <body =alert("XSS")> only valid space characters ( \r\n\t) should be present between attribute and value. Also why should we support (\0), is it a W3C standard, see this simple test open("data:text/html,xcxc%3Cbody%20onload%00%3Dalert%28%27XSS%27%29%3Excxcxc") we need to find statistics to know how many sites break if we stop supporting it PS: close this bug if it is against HTML sec. see attachment invalid_attr_xss.html
Attached file invalid_attr_xss.html
Assignee: nobody → mrbkap
Component: Layout → HTML: Parser
QA Contact: layout → parser
I think this has been fixed in bug 314980 and bug 315473.
Tested it again and found the bug was fixed.
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Flags: in-testsuite?
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: