Last Comment Bug 448166 - escaped low surrogates possible XSS hazard in URIs
: escaped low surrogates possible XSS hazard in URIs
: verified1.8.1.17
Product: Core
Classification: Components
Component: Networking (show other bugs)
: 1.8 Branch
: All All
-- normal (vote)
: ---
Assigned To: Boris Zbarsky [:bz] (still a bit busy)
: Patrick McManus [:mcmanus]
data:text/html,<a href="
Depends on: 316394
Blocks: 316338 xss
  Show dependency treegraph
Reported: 2008-07-26 22:35 PDT by Daniel Veditz [:dveditz]
Modified: 2009-02-21 09:23 PST (History)
9 users (show)
dveditz: blocking1.8.1.17+
bzbarsky: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Description User image Daniel Veditz [:dveditz] 2008-07-26 22:35:07 PDT
On "The Scanner" blog Gareth noticed that html-escaped low surrogates in javascript uris were ignored as if they weren't there, a possible XSS hazard if sites don't recognize javascript: links.

This works in the latest Firefox but not Firefox 3. The trunk did get a fix for bug 316394 but that's in CSS and wouldn't have fixed this I don't think. Putting escaped low surrogates into HTML elements correctly leads to unknown tags (e.g. <scr&#xdc00;ipt> doesn't work).

<a href="http://www.moz&#xdc00;">shouldn't be mozilla</a>
Comment 1 User image Simon Montagu :smontagu 2008-07-26 23:58:10 PDT
Bug 316394 covered both CSS escapes and HTML numeric entities.
Comment 2 User image Daniel Veditz [:dveditz] 2008-08-18 18:25:43 PDT
This has now been posted to a higher profile site (microsoft)
Comment 3 User image Boris Zbarsky [:bz] (still a bit busy) 2008-08-22 22:41:34 PDT
The branch merge for bug 316394 fixes this testcase.
Comment 4 User image Boris Zbarsky [:bz] (still a bit busy) 2008-08-25 10:25:19 PDT
Fixed by backporting bug 316394.

I checked in an HTML test for this.  We can use bug 316394 to track the xpcom unit tests needed here.
Comment 5 User image Stephen Donner [:stephend] 2008-09-02 15:16:52 PDT
Verified FIXED using : Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/2008082909 Firefox/, which yields http://www.moz�

Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv: Gecko/2008070205 Firefox/, however, has

Replacing fixed1.8.1.17 keyword with verified1.8.1.17; additionally, since this bug seems scoped to the 1.8 branch, marking its state as VERIFIED FIXED.

Note You need to log in before you can comment on or make changes to this bug.