Open Bug 682565 Opened 13 years ago Updated 2 years ago

Infinite save dialog loop block with document.location reassignment

Tracking

()

Status:

UNCONFIRMED

People

(Reporter: zpzp0909, Unassigned)

References

(Blocks 1 open bug)

Details

Attachments

(2 files)

text in address bar or ready html file 13 years ago sec search 3.82 KB, text/html		Details
screenshot 13 years ago sec search 215.19 KB, image/jpeg		Details

sec search

Reporter

Description

•

13 years ago

Attached file text in address bar or ready html file — Details

User Agent: Opera/9.80 (Windows NT 5.1; U; ru) Presto/2.9.168 Version/11.50 Steps to reproduce: write in address bar text: data:text/html;, <embed src="data:text/html;,<script>alert(0);</script>" type="text/html"> <iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe> <iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe> <iframe src="data:video/avi;,<script>alert(0);</script>" type="text/html"></iframe> <iframe src="data:video/avi;,<script>alert(0);</script>" type="text/html"></iframe> <iframe src="data:video/mpeg;,<script>alert(0);</script>" type="text/html"></iframe> <iframe src="data:video/mpeg;,<script>alert(0);</script>" type="text/html"></iframe> <iframe src="data:image/png;,<script>alert(0);</script>" type="text/html"></iframe> <iframe src="data:image/png;,<script>alert(0);</script>" type="text/html"></iframe> <iframe src="data:image/gif;,<script>alert(0);</script>" type="text/html"></iframe> <iframe src="data:image/gif;,<script>alert(0);</script>" type="text/html"></iframe> <iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe> <iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe> .......... <script>setTimeout(function(){document.location=document.location;},1);</script> Actual results: visual interface bug, many iframes, many save dialogs, many alerts Expected results: correct display of, without rapid changes

sec search

Reporter

Comment 1

•

13 years ago

Attached image screenshot — Details

Tim (fmdeveloper)

Comment 2

•

13 years ago

Comment on attachment 556262 [details] text in address bar or ready html file >data:text/html;, ><embed src="data:text/html;,<script>alert(0);</script>" type="text/html"> ><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe> ><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe> ><iframe src="data:video/avi;,<script>alert(0);</script>" type="text/html"></iframe> ><iframe src="data:video/avi;,<script>alert(0);</script>" type="text/html"></iframe> ><iframe src="data:video/mpeg;,<script>alert(0);</script>" type="text/html"></iframe> ><iframe src="data:video/mpeg;,<script>alert(0);</script>" type="text/html"></iframe> ><iframe src="data:image/png;,<script>alert(0);</script>" type="text/html"></iframe> ><iframe src="data:image/png;,<script>alert(0);</script>" type="text/html"></iframe> ><iframe src="data:image/gif;,<script>alert(0);</script>" type="text/html"></iframe> ><iframe src="data:image/gif;,<script>alert(0);</script>" type="text/html"></iframe> ><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe> ><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe> ><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe> ><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe> ><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe> ><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe> ><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe> ><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe> ><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe> ><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe> ><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe> ><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe> ><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe> ><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe> ><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe> ><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe> ><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe> ><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe> ><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe> ><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe> ><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe> ><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe> ><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe> ><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe> ><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe> ><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe> ><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe> ><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe> ><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe> ><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe> ><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe> ><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe> ><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe> ><iframe src="data:text/html;,<script>alert(0);</script>" type="text/html"></iframe> ><script>setTimeout(function(){document.location=document.location;},1);</script>

Attachment #556262 - Attachment mime type: text/plain → text/html

Tim (fmdeveloper)

Comment 3

•

13 years ago

What would you expect Firefox to do in this case? All browsers I tested seem to react the same as Firefox...

sec search

Reporter

Comment 4

•

13 years ago

(In reply to Tim (fmdeveloper) from comment #3) > What would you expect Firefox to do in this case? All browsers I tested seem > to react the same as Firefox... allow the script to stop.

arni2033

Updated

•

9 years ago

Blocks: eviltraps

Component: General → Security

Updated

•

2 years ago

Severity: normal → S3

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Infinite save dialog loop block with document.location reassignment

Categories

(Firefox :: Security, defect)

Tracking

()

People

(Reporter: zpzp0909, Unassigned)

References

(Blocks 1 open bug)

Details

Crash Data

Security

(public)

User Story

Attachments

(2 files)

Description

Comment 1

Comment 2

Comment 3

Comment 4

Updated

Updated

Attachment

General

Description

File Name

Content Type