Last Comment Bug 448166 - escaped low surrogates possible XSS hazard in URIs
: escaped low surrogates possible XSS hazard in URIs
: verified1.8.1.17
Product: Core
Classification: Components
Component: Networking (show other bugs)
: 1.8 Branch
: All All
: -- normal (vote)
: ---
Assigned To: Boris Zbarsky [:bz]
data:text/html,<a href="
Depends on: 316394
Blocks: xss 316338
  Show dependency treegraph
Reported: 2008-07-26 22:35 PDT by Daniel Veditz [:dveditz]
Modified: 2009-02-21 09:23 PST (History)
9 users (show)
dveditz: blocking1.8.1.17+
bzbarsky: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Description Daniel Veditz [:dveditz] 2008-07-26 22:35:07 PDT
On "The Scanner" blog Gareth noticed that html-escaped low surrogates in javascript uris were ignored as if they weren't there, a possible XSS hazard if sites don't recognize javascript: links.

This works in the latest Firefox but not Firefox 3. The trunk did get a fix for bug 316394 but that's in CSS and wouldn't have fixed this I don't think. Putting escaped low surrogates into HTML elements correctly leads to unknown tags (e.g. <scr&#xdc00;ipt> doesn't work).

<a href="http://www.moz&#xdc00;">shouldn't be mozilla</a>
Comment 1 Simon Montagu :smontagu 2008-07-26 23:58:10 PDT
Bug 316394 covered both CSS escapes and HTML numeric entities.
Comment 2 Daniel Veditz [:dveditz] 2008-08-18 18:25:43 PDT
This has now been posted to a higher profile site (microsoft)
Comment 3 Boris Zbarsky [:bz] 2008-08-22 22:41:34 PDT
The branch merge for bug 316394 fixes this testcase.
Comment 4 Boris Zbarsky [:bz] 2008-08-25 10:25:19 PDT
Fixed by backporting bug 316394.

I checked in an HTML test for this.  We can use bug 316394 to track the xpcom unit tests needed here.
Comment 5 Stephen Donner [:stephend] - PTO; back on 5/28 2008-09-02 15:16:52 PDT
Verified FIXED using : Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/2008082909 Firefox/, which yields http://www.moz�

Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv: Gecko/2008070205 Firefox/, however, has

Replacing fixed1.8.1.17 keyword with verified1.8.1.17; additionally, since this bug seems scoped to the 1.8 branch, marking its state as VERIFIED FIXED.

Note You need to log in before you can comment on or make changes to this bug.