javascript code execution on event handlers on nodes that aren't appended to a document

RESOLVED WONTFIX

Status

()

--
minor
RESOLVED WONTFIX
9 years ago
9 years ago

People

(Reporter: sirdarckcat, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Attachments

(1 attachment)

(Reporter)

Description

9 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5

Mozilla crashed. You suck!  

Reproducible: Always

Steps to Reproduce:
1. execute this:
with(document.createElement("img"))setAttribute('onerror','alert(1)'),setAttribute('src','.'); 
2. alert(1)
3. ??
4. Profit!
Actual Results:  
alert(1)

Expected Results:  
this also executes
document.createElement("pre").innerHTML="<img onerror='alert(1)' src='.'/>"; 

shouldn't execute until the image is appended to a document (document.documentElement or a descendant)

if this is a WONTFIX then it's ok, I dont care (actually, I prefer if this is wontfix, more sandbox escaping fun)

What I'm reporting is that its just unexpected that doing virtualElement.innerHTML=something is going to execute something (asw ell in setAttribute).

you can bypass this if you hold all the nodes in a node with a namespace.
return document.createElementNS("http://sirdarckcat.net/","thing");

greetz!!
(Reporter)

Comment 1

9 years ago
Oh, and FWIW, WebKit team is fixing a similar bug
https://bugs.webkit.org/show_bug.cgi?id=26825
(Reporter)

Comment 3

9 years ago
? this is not a crash dude..

Comment 4

9 years ago
you're an idiot dude.

"Mozilla crashed. You suck!  "

don't write that if you don't mean it.
(Reporter)

Comment 5

9 years ago
hahahahahahahahahaha

https://bugzilla.mozilla.org/enter_bug.cgi?product=Core&format=guided#short_desc

Bad example: Mozilla crashed. You suck!
Good example: After a crash which happened when I was sorting in the Bookmark Manager,
all of my top-level bookmark folders beginning with the letters Q to Z are no longer present.
(Reporter)

Updated

9 years ago
Summary: javascript code execution on event handlers on nodes that aren't appended to a document → THIS IS NOT A CRASH - javascript code execution on event handlers on nodes that aren't appended to a document

Comment 6

9 years ago
(In reply to comment #1)
> Oh, and FWIW, WebKit team is fixing a similar bug
> https://bugs.webkit.org/show_bug.cgi?id=26825
That is not about img.

Note, one can create/load image element also using "var img = new Image();
img.src = 'url_to_image';" syntax,
and that has been used for *years* to preload images before using them in the
document.
(Reporter)

Comment 7

9 years ago
what is being fixed in webkit is that code execution is allowed on a DOM not appended to a document.

anyway, as you state image preloading will be broken if this is fixed.. so, wontfix sounds as a sweeeeeeeeeeeeeeeet solution haha :)
Status: UNCONFIRMED → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → WONTFIX

Comment 8

9 years ago
html5 documents this, and indeed changing this would break the web :)
Resolution: WONTFIX → INVALID
Summary: THIS IS NOT A CRASH - javascript code execution on event handlers on nodes that aren't appended to a document → javascript code execution on event handlers on nodes that aren't appended to a document
(Reporter)

Comment 9

9 years ago
I just realized that this is done by firefox's source code at the moment of making "view-generated source code".

So, a new Node (not appended to a document) is created and then to it is appended the code from the webpage, so when it tries to get the source code it executes the event.
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---
(Reporter)

Comment 10

9 years ago
Created attachment 386938 [details]
Testcase, Select the image, right click and select "view selection source"

Select the image, right click and select "view selection source"
(In reply to comment #10)
> Created an attachment (id=386938) [details]
> Testcase, Select the image, right click and select "view selection source"
> 
> Select the image, right click and select "view selection source"

That is a different bug, nothing to do with this one.

Comment 12

9 years ago
Agreed, totally different issue (context menu executes cloneNode(true) on the container node of the selection). This issue is still WONTFIX, the other might actually be worth looking into - if reported separately.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 9 years ago9 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.