2009/12/6 Maciej Stachowiak <mjs@apple.com>
>
> On Dec 6, 2009, at 1:22 AM, sird@rckc.at wrote:
>
> hi!
>>
>> I understood only members/invited.experts had a real vote in it.. anyway
>>
>> wrt autofocus it enables xss vectors without user interaction (Mario
>> Heiderich/Gareth Heyes).
>>
>>
> Cn you give me an explanation of the exploit or a link to an explanation?
> I'm not familiar with the issue you are referring to.
>
> Regards,
> Maciej
>
If an injection occurs within a <input type="text" INJECTION_HERE and the <>
chars are filtered. HTML5 allows us to auto execute vectors by supplying
autofocus. Normally a user would have to be tricked into clicking the
element without CSS expression/moz-binding/behaviour vectors but HTML5 add
new XSS vectors. The injection would work like this:-
"AUTOFOCUS onfocus=alert(1) x="
Many form based elements support this auto executing method:-
<input autofocus onfocus=alert(1)>
<textarea autofocus onfocus=alert(1)>
<keygen autofocus onfocus=alert(1)>
<select autofocus onfocus=alert(1)>
Works on Chrome+Safari+Opera 10