New issue
Advanced search Search tips

Issue 675352 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Dec 2016
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

XSS upon re-injecting the XSS vector

Reported by char...@gmail.com, Dec 17 2016 
Steps to reproduce:
1. Open Google Chrome with url https://www.google.co.in/
2. Right-click over "Google Search" button, click Inspect
3. In <input ...> tag, change it to <input <img src=x onmouseover=alert(document.cookie)> ...>
4. Hit enter
5. Do mouseover Submit button

Expected:
Button label is "Google Search" and XSS is not triggered

Actuals:
Button label changes to "Submit" and XSS is triggered
google-homepage-xssed.PNG
36.2 KB View Download

Comment 1 by elawrence@chromium.org, Dec 19 2016

Labels: -Restrict-View-SecurityTeam
Status: WontFix (was: Unconfirmed)
Please see https://dev.chromium.org/Home/chromium-security/security-faq#TOC-Does-entering-JavaScript:-URLs-in-the-URL-bar-or-running-script-in-the-developer-tools-mean-there-s-an-XSS-vulnerability- for details on why injecting JavaScript via the developer tools or URL bar does not represent a security vulnerability.

Sign in to add a comment