502173 - javascript code execution on event handlers on nodes that aren't appended to a document

Status: RESOLVED WONTFIX

(Core :: DOM: Core & HTML, defect)

Description

[Eduardo Vela N]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5

Mozilla crashed. You suck!  

Reproducible: Always

Steps to Reproduce:
1. execute this:
with(document.createElement("img"))setAttribute('onerror','alert(1)'),setAttribute('src','.'); 
2. alert(1)
3. ??
4. Profit!
Actual Results:  
alert(1)

Expected Results:  
this also executes
document.createElement("pre").innerHTML="<img onerror='alert(1)' src='.'/>"; 

shouldn't execute until the image is appended to a document (document.documentElement or a descendant)

if this is a WONTFIX then it's ok, I dont care (actually, I prefer if this is wontfix, more sandbox escaping fun)

What I'm reporting is that its just unexpected that doing virtualElement.innerHTML=something is going to execute something (asw ell in setAttribute).

you can bypass this if you hold all the nodes in a node with a namespace.
return document.createElementNS("http://sirdarckcat.net/","thing");

greetz!!

Comment 1

[Eduardo Vela N]

Oh, and FWIW, WebKit team is fixing a similar bug
https://bugs.webkit.org/show_bug.cgi?id=26825

Comment 2

[timeless]

https://developer.mozilla.org/en/How_to_get_a_stacktrace_for_a_bug_report

Comment 3

[Eduardo Vela N]

? this is not a crash dude..

Comment 4

[timeless]

you're an idiot dude.

"Mozilla crashed. You suck!  "

don't write that if you don't mean it.

Comment 5

[Eduardo Vela N]

hahahahahahahahahaha

https://bugzilla.mozilla.org/enter_bug.cgi?product=Core&format=guided#short_desc

Bad example: Mozilla crashed. You suck!
Good example: After a crash which happened when I was sorting in the Bookmark Manager,
all of my top-level bookmark folders beginning with the letters Q to Z are no longer present.

Comment 6

[Olli Pettay [:smaug][bugs@pettay.fi]]

(In reply to comment #1)
> Oh, and FWIW, WebKit team is fixing a similar bug
> https://bugs.webkit.org/show_bug.cgi?id=26825
That is not about img.

Note, one can create/load image element also using "var img = new Image();
img.src = 'url_to_image';" syntax,
and that has been used for *years* to preload images before using them in the
document.

Comment 7

[Eduardo Vela N]

what is being fixed in webkit is that code execution is allowed on a DOM not appended to a document.

anyway, as you state image preloading will be broken if this is fixed.. so, wontfix sounds as a sweeeeeeeeeeeeeeeet solution haha :)

Comment 8

[timeless]

html5 documents this, and indeed changing this would break the web :)

Comment 9

[Eduardo Vela N]

I just realized that this is done by firefox's source code at the moment of making "view-generated source code".

So, a new Node (not appended to a document) is created and then to it is appended the code from the webpage, so when it tries to get the source code it executes the event.

Comment 10

[Eduardo Vela N]

Attachment: Testcase, Select the image, right click and select "view selection source"

Select the image, right click and select "view selection source"

Comment 11

[Olli Pettay [:smaug][bugs@pettay.fi]]

(In reply to comment #10)
> Created an attachment (id=386938) [details]
> Testcase, Select the image, right click and select "view selection source"
> 
> Select the image, right click and select "view selection source"

That is a different bug, nothing to do with this one.

Comment 12

[Wladimir Palant]

Agreed, totally different issue (context menu executes cloneNode(true) on the container node of the selection). This issue is still WONTFIX, the other might actually be worth looking into - if reported separately.