W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Seamless iframes + CSS3 selectors = bad idea

From: gaz Heyes <gazheyes@gmail.com>
Date: Sun, 6 Dec 2009 11:28:51 +0000
Message-ID: <252dd75b0912060328l38ac2309u566b42c4e16202ca@mail.gmail.com>
To: Maciej Stachowiak <mjs@apple.com>
Cc: sird@rckc.at, Adam Barth <w3c@adambarth.com>, Ian Hickson <ian@hixie.ch>, public-web-security@w3.org
2009/12/6 Maciej Stachowiak <mjs@apple.com>

>
> On Dec 6, 2009, at 1:22 AM, sird@rckc.at wrote:
>
>  hi!
>>
>> I understood only members/invited.experts had a real vote in it.. anyway
>>
>> wrt autofocus it enables xss vectors without user interaction (Mario
>> Heiderich/Gareth Heyes).
>>
>>
> Cn you give me an explanation of the exploit or a link to an explanation?
> I'm not familiar with the issue you are referring to.
>
> Regards,
> Maciej
>

If an injection occurs within a <input type="text" INJECTION_HERE and the <>
chars are filtered. HTML5 allows us to auto execute vectors by supplying
autofocus. Normally a user would have to be tricked into clicking the
element without CSS expression/moz-binding/behaviour vectors but HTML5 add
new XSS vectors. The injection would work like this:-

"AUTOFOCUS onfocus=alert(1) x="

Many form based elements support this auto executing method:-
<input autofocus onfocus=alert(1)>
<textarea autofocus onfocus=alert(1)>
<keygen autofocus onfocus=alert(1)>
<select autofocus onfocus=alert(1)>

Works on Chrome+Safari+Opera 10
Received on Sunday, 6 December 2009 18:14:17 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT