From https://twitter.com/jackmasa/status/236843727086317569 Following code writes '<img src="xx:x" onerror="alert(1)">' to document. Is this by design or bug ? <script> with(document)cookie='∼≩≭≧∯≳≲≣∽≸≸∺≸∠≯≮≥≲≲≯≲∽≡≬≥≲≴∨∱∩∾',write(cookie); </script>
Status: NEW → UNCONFIRMED
Ever confirmed: false
line 1288 is probably causing all this: http://dxr.lanedo.com/mozilla-central/content/html/document/src/nsHTMLDocument.cpp.html#l1288
document.cookie must be encoded/decoded as UTF-8 per spec. http://dev.w3.org/html5/spec/single-page.html#dom-document-cookie
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment on attachment 654178 [details] [diff] [review] encode/decode document.cookie as UTF-8 per HTML5 spec r=me, but please add a test or two?
Attachment #654178 - Flags: review?(bzbarsky) → review+
Ugh, ConvertStringFromCharset("utf-8") also failed if the string is invalid as UTF-8... > please add a test or two? Done. one for decoding non-UTF-8 string from HTTP header, and the other for the example in comment #0.
Comment on attachment 657718 [details] [diff] [review] encode/decode document.cookie as UTF-8 per HTML5 spec Do we have an existing bug on the missing kOnError_Recover support? If so, please link this code from that bug and add the bug number to the comment. If we don't have one, please file one and then do the above. r=me
Attachment #657718 - Flags: review?(bzbarsky) → review+
I found bug 638379.
Attachment #657718 - Attachment is obsolete: true
(In reply to Masatoshi Kimura [:emk] from comment #8) > https://tbpl.mozilla.org/?tree=Try&rev=6c0769e869aa Green on Try. https://hg.mozilla.org/integration/mozilla-inbound/rev/af0971ca7acd
Assignee: nobody → VYV03354
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla18
-> VERIFIED Tested at Nightly/Windows build from http://hg.mozilla.org/mozilla-central/rev/0d3b17a88d5f
Status: RESOLVED → VERIFIED
Component: DOM → DOM: Core & HTML
Product: Core → Core
You need to log in before you can comment on or make changes to this bug.