Closed
Bug 557420
Opened 14 years ago
Closed 14 years ago
range.createContextualFragment calls onerror handler in the tagString if it exists
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: kaz.july.7, Unassigned)
References
()
Details
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; ja-JP-mac; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; ja-JP-mac; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 range.createContextualFragment calls img.onerror handler in the tagString if it exists, when reading some specific documents like ow.ly. Reproducible: Always Steps to Reproduce: A reproduciable code is here: http://mozilla:vul@send.sh/vulnerablility/01_onerror/ Actual Results: called img.onerror handler. Expected Results: range.createContexualFragment must not call img.onerror handlers in the tagString.
Reporter | ||
Updated•14 years ago
|
Version: unspecified → 3.6 Branch
(In reply to comment #0) > range.createContexualFragment must not call img.onerror handlers in the > tagString. Why not?
Component: Security → DOM: Traversal-Range
Product: Firefox → Core
QA Contact: firefox → traversal-range
Version: 3.6 Branch → 1.9.2 Branch
Reporter | ||
Comment 2•14 years ago
|
||
1. range.createContextualFragment should not evaluate any scripts because it causes some security risk (see section 2) and it does. But only img.oneror and img.onload are evaluated expectionally. sample code: > var tagString = <> > <script type="text/javascript" src="test.js"></script> > <script type="text/javascript"><![CDATA[ > function foo() { alert("foo"); } > ]]></script> > <img src="not_found.jpg" onerror="javascript:foo()" /> > <img src="not_found.jpg" onerror="javascript:alert(1)" /> > <img src="found.jpg" onload="javascript:bar()" /> > </>.toString(); > > var range = document.createRange(); > range.selectNodeContents(document.documentElement); > range.createContextualFragment(tagString); test.js: > function bar() { > alert('bar'); > } Function foo and bar are not evaluated. But onerror and onload handlers are evaluated. So errors occurred that foo and bar are not defined, and alert(1) is called. 2. This implementation has a potential security risk. If we want to create a Document from string for the purpose of DOM manipulations, sometimes we write codes to using document.createDocument and range.createContextualFragment like this: http://gist.github.com/198443 . This snipet expected any scripts may not be executed before adding to an actual document. Safari and Google Chrome do not evaluate on running createContextualFragment. But Firefox do not act like these.
Comment 3•14 years ago
|
||
This looks invalid to me. If you do this: var img = document.createElement("img"); img.setAttribute("onerror", "alert(1)"); img.src = "not_found.jpg"; I would expect that Firefox fires the onerror handler. Wouldn't you? Certainly Safari/Chrome do so. The createContextualFragment case is no different. It creates the exact same DOM, so should have the same behavior. > This snipet expected any scripts may not be executed before adding to an > actual document. This seems like a bogus assumption in general for in-memory DOM trees. See above createElement example. > Safari and Google Chrome do not evaluate on running createContextualFragment. They both show the "XSS" alert for me on your testcase from comment 0, as expected.
Updated•14 years ago
|
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → WONTFIX
Reporter | ||
Comment 4•14 years ago
|
||
> > Safari and Google Chrome do not evaluate on running createContextualFragment. > > They both show the "XSS" alert for me on your testcase from comment 0, as > expected. I'm sorry. I had tried to execute sample codes on comment 2, and misunderstood they do not execute handlers on running range.createContextualFragment. it is the cause of a syntax error using E4X. And now I understood createContextualFragment and createElement behave same way. But I know many addons and userscripts using createContextualFragment without any validations against input parameter via XMLHttpRequest. They have potentally vulnerabilities. I think most of them should remove onerror and onload handlers before using createContextualFragment or use other safe ways of getting HTMLDocument from string. Thanks.
Comment 5•14 years ago
|
||
Well, in this case if you had used |doc| instead of |document| to create the range and as the context there would be no script execution, since scripting is disabled in data documents....
Assignee | ||
Updated•11 years ago
|
Component: DOM: Traversal-Range → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•