Closed Bug 502173 Opened 15 years ago Closed 15 years ago

javascript code execution on event handlers on nodes that aren't appended to a document

Categories

(Core :: DOM: Core & HTML, defect)

defect
Not set
minor

Tracking

()

RESOLVED WONTFIX

People

(Reporter: sirdarckcat, Unassigned)

References

()

Details

Attachments

(1 file)

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5

Mozilla crashed. You suck!  

Reproducible: Always

Steps to Reproduce:
1. execute this:
with(document.createElement("img"))setAttribute('onerror','alert(1)'),setAttribute('src','.'); 
2. alert(1)
3. ??
4. Profit!
Actual Results:  
alert(1)

Expected Results:  
this also executes
document.createElement("pre").innerHTML="<img onerror='alert(1)' src='.'/>"; 

shouldn't execute until the image is appended to a document (document.documentElement or a descendant)

if this is a WONTFIX then it's ok, I dont care (actually, I prefer if this is wontfix, more sandbox escaping fun)

What I'm reporting is that its just unexpected that doing virtualElement.innerHTML=something is going to execute something (asw ell in setAttribute).

you can bypass this if you hold all the nodes in a node with a namespace.
return document.createElementNS("http://sirdarckcat.net/","thing");

greetz!!
Oh, and FWIW, WebKit team is fixing a similar bug
https://bugs.webkit.org/show_bug.cgi?id=26825
? this is not a crash dude..
you're an idiot dude.

"Mozilla crashed. You suck!  "

don't write that if you don't mean it.
hahahahahahahahahaha

https://bugzilla.mozilla.org/enter_bug.cgi?product=Core&format=guided#short_desc

Bad example: Mozilla crashed. You suck!
Good example: After a crash which happened when I was sorting in the Bookmark Manager,
all of my top-level bookmark folders beginning with the letters Q to Z are no longer present.
Summary: javascript code execution on event handlers on nodes that aren't appended to a document → THIS IS NOT A CRASH - javascript code execution on event handlers on nodes that aren't appended to a document
(In reply to comment #1)
> Oh, and FWIW, WebKit team is fixing a similar bug
> https://bugs.webkit.org/show_bug.cgi?id=26825
That is not about img.

Note, one can create/load image element also using "var img = new Image();
img.src = 'url_to_image';" syntax,
and that has been used for *years* to preload images before using them in the
document.
what is being fixed in webkit is that code execution is allowed on a DOM not appended to a document.

anyway, as you state image preloading will be broken if this is fixed.. so, wontfix sounds as a sweeeeeeeeeeeeeeeet solution haha :)
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → WONTFIX
html5 documents this, and indeed changing this would break the web :)
Resolution: WONTFIX → INVALID
Summary: THIS IS NOT A CRASH - javascript code execution on event handlers on nodes that aren't appended to a document → javascript code execution on event handlers on nodes that aren't appended to a document
I just realized that this is done by firefox's source code at the moment of making "view-generated source code".

So, a new Node (not appended to a document) is created and then to it is appended the code from the webpage, so when it tries to get the source code it executes the event.
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---
Select the image, right click and select "view selection source"
(In reply to comment #10)
> Created an attachment (id=386938) [details]
> Testcase, Select the image, right click and select "view selection source"
> 
> Select the image, right click and select "view selection source"

That is a different bug, nothing to do with this one.
Agreed, totally different issue (context menu executes cloneNode(true) on the container node of the selection). This issue is still WONTFIX, the other might actually be worth looking into - if reported separately.
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago15 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: