Tickets :: Comment on [#8715] XSS vulnerability

* Your Email Address
* Spam protection	Enter the letters below: . .. . .. . . \|_/ \|\ \| \|\| \|\ \| \| \\| \\|\__\|\|___\| \\|
Comment	> Don't forget about other content types. For example, if the data is > the base64 encoding of: > > <?xml version="1.0" encoding="UTF-8"?> > <!DOCTYPE html > PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" > "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> > <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> > <head> > <!--a75c305b1c0a6022--><title>Test</title> > </head> > <body> > <script type="text/javascript">alert(document.cookie)</script> > </body> > </html> > > Then, the attacker can also use a link with the following URI: > > data:application/xhtml+xml;base64,<encoding of above> > > And this is not the only one. If the use the content types text/xml > or application/xml, the page will be parsed as a xml document. In the > script, document has now type XMLDocument, and doesn't have the > property cookie. We can still write something like: > > <script type="text/javascript"> > if (undefined === document.cookie) > window.location.replace(window.location.href.replace("text/xml", > "application/xhtml+xml")) > else > alert(document.cookie) > </script> > The same for application/xml, or more elaborate code to take care of > various cases. > > I just tested this four cases, text/html, text/xml, application/xml, > application/xhtml+xml and I don't know if there are others. > > I don't have a better suggestion for you, so I just leave the comment > that blacklisting can be dangerous. > > Thank you for your time. > >> Attachments are not private anyway. :) >> >> Your patch seems to do its job, attached is a test case. >> >> I'm not sure how far Firefox can be tricked to consider a link as a >> data scheme. I'm thinking of variants of "data:text/html". >
Attachment
Watch this ticket

Saved Queries