2009/12/6 Maciej Stachowiak <mjs@apple.com> > > On Dec 6, 2009, at 1:22 AM, sird@rckc.at wrote: > > hi! >> >> I understood only members/invited.experts had a real vote in it.. anyway >> >> wrt autofocus it enables xss vectors without user interaction (Mario >> Heiderich/Gareth Heyes). >> >> > Cn you give me an explanation of the exploit or a link to an explanation? > I'm not familiar with the issue you are referring to. > > Regards, > Maciej > If an injection occurs within a <input type="text" INJECTION_HERE and the <> chars are filtered. HTML5 allows us to auto execute vectors by supplying autofocus. Normally a user would have to be tricked into clicking the element without CSS expression/moz-binding/behaviour vectors but HTML5 add new XSS vectors. The injection would work like this:- "AUTOFOCUS onfocus=alert(1) x=" Many form based elements support this auto executing method:- <input autofocus onfocus=alert(1)> <textarea autofocus onfocus=alert(1)> <keygen autofocus onfocus=alert(1)> <select autofocus onfocus=alert(1)> Works on Chrome+Safari+Opera 10
Received on Sunday, 6 December 2009 18:14:17 UTC