- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Tue, 15 Feb 2011 02:54:36 -0500
- To: "sird@rckc.at" <sird@rckc.at>
- CC: gaz Heyes <gazheyes@gmail.com>, public-web-security@w3.org
On 2/15/11 2:40 AM, sird@rckc.at wrote:
> if(navigator.userAgent.match(/Firefox/))
> ifr.setAttribute("src","/xss.php?csp&plain_text");
What's the point of that?
> try {
> ifr.contentDocument.documentElement.innerHTML=src;
Given that you immediately do this?
(Let's ignore for the moment that matching on "Firefox" is totally the
wrong way to detect Gecko and minor details like that.)
> parseHTML("<img src=/ onload=alert(1)
> onerror=alert(1)><script>alert(1)</script><iframe
> src=javascript:alert(1)></iframe><b>hello</b>").getElementsByTagName("b")[0].innerHTML;
> parseHTML("<xD/>").getElementsByTagName("*")[0].innerHTML="<img src=/
> onload=alert(1) onerror=alert(1)><script>alert(1)</script><iframe
> src=javascript:alert(1)></iframe>";
The fact that these don't execute in Gecko just has to do with the
window being torn down before the async load events fire.
-Boris
Received on Tuesday, 15 February 2011 07:55:41 UTC