javascript quote bypass, filter's bug




11 years ago
11 years ago


(Reporter: bydooweedoo, Unassigned)


Firefox Tracking Flags

(Not tracked)





11 years ago
User-Agent:       Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv: Gecko/20080224 Firefox/
Build Identifier: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv: Gecko/20080224 Firefox/

I've recently noticed that javascript filter has a bug.
When you have a javascript variable defined in the HTML code like that:
var query = "query";
and the query is equal to:
For firefox javascript parser, </script> is a valid escape javascript string as " is.
So after closing the string by using </script>, firefox interprets next chars as HTML entities.
See steps to reproduce.

Reproducible: Always

Steps to Reproduce:
1.Example of javascript code in a php page: var query = '<? echo addslashes($_GET["query"]); ?>';
2. if my request is page.php?query=</script><script>alert(document.title);</script>
3. It will print the title of the current HTML document into a javascript alert because ' is eqal to </script> for valid escape javascript string.

Expected Results:  
</script> is not a valid escape character into a javascript string defined.
What you are describing is a Cross-site Scripting ( ) attack on a vulnerable website.  Web site authors should filter their CGI parameters before trusting them in content or sensitive code paths.

This is not a failure of Firefox's javascript parser, this is a failure of the web site's construction, and I would encourage you to report it to them, since it is something they should attend to.
Group: security
Last Resolved: 11 years ago
Resolution: --- → INVALID

Comment 2

11 years ago example:
Internet Explorer and Opera are not affected.

I can't explain this.
You need to log in before you can comment on or make changes to this bug.