2009/12/7 Maciej Stachowiak <mjs@apple.com>
> I see. So the premise is that if you can inject attributes onto an input
> element (but not inject arbitrary content) and presumably can't inject
> attributes into certain other elements which have auto-firing event handlers
> (like <body> or <img>), then you now have a drive-by XSS exploit using
> autofocus where previously some user interaction would have been required.
> But how about this:
>
> <input style=position:fixed;left:0px;top:0px;width:100%;height:100%
> onmouseover=alert(1)>
>
> Same conditions, essentially the same effect. Thus, I don't think autofocus
> meaningfully increases attack surface.
>
Well it enables attack where previously not possible, for example consider a
web site that filters user input to remove <>():& etc. we can still auto
execute javascript by supplying a vector such as:-
"autofocus/onfocus="location=name"x="
Another point is a onmouseover needs to have the user's focus whereas the
vector I mentioned can be used within a hidden iframe and enables automation
of attack rather than requiring a user to focus on each injection.