New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 774095 link

Starred by 3 users

Issue metadata

Status: WontFix
Owner: ----
Closed: Dec 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: 3
Type: Bug



Sign in to add a comment

</script> inside quotes is closing script tag.

Project Member Reported by csperl@google.com, Oct 12 2017

Issue description

Chrome Version       : 60.0.3112.113
Behavior in Firefox 56.0: The same

I am unsure if this is a known problem, but it could cause some security issue if not:

I have a simple html file containing:
<html>
 <body>
  <script>
   var a = "</script>b"
  </script>
 </body>
</html>

The problem is that the script end-tag in the quotes (</script>) is recognized as proper end tag for the script. Then Chrome shows b", instead of an empty page. So, even though the </script> is in quotes, it is treated as a valid end tag. Any other tags like </body> or <script> are trated as part of the value of a.

If this is a bug it could cause XSS.
 
Cc: vamshi.k...@techmahindra.com
Components: Blink>HTML>Script
Labels: Needs-Milestone Triaged-ET M-63 OS-Linux OS-Mac OS-Windows
Status: Untriaged (was: Unconfirmed)
Able to reproduce the issue on the reported chrome version 60.0.3112.113 and on the latest canary 63.0.3238.0 on windows10, Ubuntu 14.04 and on Mac 10.12.6. As the issue is seen from M50(50.0.2634.0), hence considering it as Non-regression and marking this as Untriaged and for further investigation by the respective team

Comment 2 by kouhei@chromium.org, Oct 13 2017

Components: -Blink>HTML>Script Blink>HTML>Parser
Labels: Needs-Feedback
Status: (was: Untriaged)
Chrome is parsing the example HTML as specified: https://html.spec.whatwg.org/multipage/parsing.html#script-data-state
This is specified behavior from early days of HTML4.

You can try filing a spec bug, but I'm afraid that changing this behavior will affect a lot of existing websites.

Comment 3 by csperl@google.com, Oct 17 2017

I agree, it is defined like this in the specification.
You wrote that changing the specification will affect a lot of existing websites: Is there any use case where it actually makes sense to allow this?
To my mind, the only things which would break when changing the spec would be invalid html pages (e.g. no closing " and suddenly closing the script-tag) and some XSS possibilities (which is a good thing).
This is one of the reasons why the W3C HTML validator warned about unescaped lower-than symbols for a long time. The XSS issue arises if someone does not do proper escaping. In the case inline scripts developers have to think about Javascript and HTML.

Comment 5 by kochi@chromium.org, Dec 27 2017

Status: WontFix
As Blink cannot take any action on this, as working as expected/specced,
per comment #2.  Let's close this.

csperl@ I'm not sure you can get answers to your question here.
If you think it would be good to have spec change and change the parser
behavior (for all browsers, for compatibility),
https://github.com/whatwg/html would be the better place.

Sign in to add a comment