Closed Bug 539812 Opened 15 years ago Closed 15 years ago

possible XSS via innerHTML content containing <img onload="malicious code here"....

Categories

(Core :: DOM: HTML Parser, defect)

Product:
Core
Component:
DOM: HTML Parser
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: andrew.luetgers, Unassigned)

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070206 Firefox/3.0.1 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070206 Firefox/3.0.1 It smy understanding that the browser will not eval the content of script tags passed to it via innerHTM becasue it is a security issue. If this is the case the same security issue still resides within innerHTML via the image onload attribute. Reproducible: Always Steps to Reproduce: 1.use the following js snippet to eval code with innerHTML 2. 'document.getElementById("someID").innerHTML = '<img src="http://static.flowplayer.org/tools/img/blank.gif" onload="alert(\'hello\');"/>'; Actual Results: page alerts "hello" Expected Results: no js from inner html runs
OS: Windows Vista → All
Hardware: x86 → All
This was not done as a security feature it's just a matter of interpretation (and perhaps incomplete reverse-engineering of Microsoft's innerHTML feature). Microsoft has an explicit DEFER attribute that will let <script> tags work as part of innerHTML, and DEFER has been added to the HTML 5 spec so I would guess Firefox will sprout it sooner or later. You could always add a script tag through the DOM (createElement, appendChild), and in these the script definitely executes. Using the event handler as a workaround for innerHTML brokenness is documented as a helpful tip in several places I was able to find by searching so there's no need for this to remain a hidden security bug. I don't believe there is a bug here, or if there is it probably comes down to a duplicate of the "implement IE's <script defer> feature" bug.
Group: core-security
Component: Security → HTML: Parser
Product: Firefox → Core
QA Contact: firefox → parser
Firefox 3.6 implements 'defer' per HTML5. Per HTML5, <script> (whether defer or otherwise) in innerHTML doesn't run.
Huh? The defer attribute has nothing to do with innerHTML. But Dan is right in that the fact that <script>s does not work when created using innerHTML is not a security feature. It is purely a consequence of that that's what IE did and sites depended on it. So marking this bug invalid.
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → INVALID
Sorry, I thought I read some MS documentation that said <script defer> would run in IE if added to innerHTML. Perhaps I misinterpreted it, or it was simply changed in HTML5.
http://msdn.microsoft.com/en-us/library/ms533897%28VS.85%29.aspx -- not that that changes the resolution of the bug.
You need to log in before you can comment on or make changes to this bug.