New issue
Advanced search Search tips

Issue 805924 link

Starred by 2 users

Issue metadata

Status: Fixed
Closed: Mar 2018
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac , Fuchsia
Pri: 2
Type: Bug-Security

Sign in to add a comment

mXSS: Potential XSS via MathML gotten from innerHTML

Reported by, Jan 25 2018

Issue description

UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3329.1 Safari/537.36

Steps to reproduce the problem:
Chrome returns HTML of different structure when a crafted HTML including MathML is gotten from innerHTML property.

By abusing this behavior, an attacker might do XSS attacks by changing safe HTML to XSS-able HTML.
This type of bug is known as "mXSS" (mutation-based XSS). For more information, see this paper:

Steps to Reproduce:
1. Go to . This page has a crafted HTML including MathML like the following:

<math><annotation-xml encoding="text/html"><xmp>&lt;/xmp&gt;&lt;img src=x onerror=alert(1)&gt;</xmp></math>

2. Click "Reassign user-generated HTML to innerHTML" button.  JavaScript is executed by being changed to XSS-able HTML like the following:

<math><annotation-xml encoding="text/html"><xmp></xmp><img src=x onerror=alert(1)></xmp></math>

What is the expected behavior?
Chrome should not change the HTML structure in innerHTML.

What went wrong?
Chrome should return correct HTML.

Did this work before? N/A 

Chrome version: 66.0.3329.1  Channel: n/a
OS Version: 10.0
Flash Version: 

As far as I know, a script and style tag also have same issue:

<math><annotation-xml encoding="text/html"><style>&lt;/style&gt;&lt;img src=x onerror=alert(1)&gt;</style></math>
<math><annotation-xml encoding="text/html"><script>&lt;/script&gt;&lt;img src=x onerror=alert(1)&gt;</script></math>
Components: Blink>HTML
Labels: FoundIn-64 Security_Impact-Stable OS-Android OS-Chrome OS-Fuchsia OS-Linux OS-Mac
Status: Untriaged (was: Unconfirmed)
Cool issue, thanks!

Verified repro in 64-66 on Mac; not repro in Firefox.

Comment 2 by, Jan 30 2018

Labels: Security_Severity-Low
The only other mXSS bug we have is  bug 527499  and it's low severity so I'm assigning the same here. I don't think we support MathML and it doesn't seem to have an owner, so not sure who should own this.

Comment 3 by, Jan 30 2018

Status: Available (was: Untriaged)

Comment 4 by, Mar 14 2018

Components: -Blink>HTML Blink>HTML>Parser
I think this is an HTML parser bug.
If <xmp> is in a <annotation-xml>, it seems the <xmp> doesn't trigger RAW TEXT parsing mode. On the other hand, HTML serializer correctly handle <xmp> content as RAW TEXT.

Comment 5 by, Mar 14 2018

Components: -Blink>HTML>Parser Blink>HTML
Oh, no, it may be a serializer bug.
Even if <xmp> content should be serialized as raw text, we need to escape </xmp>.  Safari and Firefox do it.

Comment 6 by, Mar 15 2018

Components: -Blink>HTML Blink>HTML>Parser
Status: Started (was: Available)
I identified an HTMLTreeBuilderSimulator bug.

Project Member

Comment 7 by, Mar 16 2018

The following revision refers to this bug:

commit 133bc5c262b2555af223263452e9875a95db9eb7
Author: Kent Tamura <>
Date: Fri Mar 16 05:33:23 2018

HTML parser: Fix "HTML integration point" implementation in HTMLTreeBuilderSimulator.

HTMLTreeBuilderSimulator assumed only <foreignObject> as an HTML
integration point. This CL adds <annotation-xml>, <desc>, and SVG

Bug:  805924 
Change-Id: I6793d9163d4c6bc8bf0790415baedddaac7a1fc2
Commit-Queue: Kent Tamura <>
Reviewed-by: Kouhei Ueno <>
Cr-Commit-Position: refs/heads/master@{#543634}

Comment 8 by, Mar 16 2018

Labels: M-67
Status: Fixed (was: Started)
Project Member

Comment 9 by, Mar 16 2018

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: reward-topanel
Labels: -reward-topanel reward-unpaid reward-500
*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
Hi! The Chrome VRP Panel decided to award $500 for this report - cheers!
Labels: -reward-unpaid reward-inprocess
Labels: Release-0-M67
Labels: CVE-2018-6145 CVE_description-missing
Project Member

Comment 16 by, Jun 22

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot

Sign in to add a comment