510868 - Unexpected JavaScript parsing possible to XSS attack

Status: RESOLVED INVALID

(Core :: DOM: HTML Parser, defect, P1)

Description

[Vladimir]

User-Agent:       Opera/9.64 (Windows NT 5.1; U; ru) Presto/2.1.1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11 (.NET CLR 3.5.30729)

Unexpected JavaScript parsing possible to XSS attack

Reproducible: Always

Steps to Reproduce:
1.Create new html file
2.Put into that file following line: <script language="JavaScript">var 
test="</script><script>alert('ONsec.ru secrity team');</script>";</script>
3. Save file and open in Mozilla
Actual Results:  
Alert showing!

Expected Results:  
Nothing

Vladimir Voronstov, Russian security research team onsec.ru

Comment 1

[Vladimir]

Attachment: open this example

Comment 2

[Benjamin Smedberg]

Why do you believe that is the expected results? The HTML parser is responsible for determining when the <script> tag closes and doesn't use JS parsing rules to determine that.

I believe this bug is INVALID... in any case moving to HTML parser and cc'ing HTML parsing experts.

Comment 3

[Brandon Sterne (:bsterne)]

If it's not INVALID, it can probably be unhidden, since this is pretty well-known behavior.

Comment 4

[Jesse Ruderman]

This is well-known behavior, and Safari does the same thing.

You might be interested in HTML5-related work that could make it easier to avoid this issue in some cases: http://wiki.whatwg.org/wiki/CDATA_Escapes (from bug 503632).