New issue
Advanced search Search tips

Issue 668256 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Nov 2016
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: </script> break thru even in js string context

Reported by thomas.r...@gmail.com, Nov 23 2016 
<html>
test
<script>
foo='text </script><script>alert(1)</script>';
</script>
</html>

this html page throws the alert because </script> is executed also inside a string. a lot of js escape libraries does not escape </script>, only \' and \".

seems for me like a bug.

Comment 1 by dominickn@chromium.org, Nov 23 2016

Status: WontFix (was: Unconfirmed)
The HTML parser doesn't parse JavaScript, so it doesn't recognise that the </script> is inside a JavaScript string. My understanding is that this behaviour is spec compliant; the JavaScript engine doesn't get a chance to run until the HTML parser has finished parsing the script blocks.

Using the standard HTML escape entities avoids this problem.
Project Member

Comment 2 by sheriffbot@chromium.org, Mar 2 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment