Closed
Bug 502173
Opened 15 years ago
Closed 15 years ago
javascript code execution on event handlers on nodes that aren't appended to a document
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: sirdarckcat, Unassigned)
References
()
Details
Attachments
(1 file)
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5 Mozilla crashed. You suck! Reproducible: Always Steps to Reproduce: 1. execute this: with(document.createElement("img"))setAttribute('onerror','alert(1)'),setAttribute('src','.'); 2. alert(1) 3. ?? 4. Profit! Actual Results: alert(1) Expected Results: this also executes document.createElement("pre").innerHTML="<img onerror='alert(1)' src='.'/>"; shouldn't execute until the image is appended to a document (document.documentElement or a descendant) if this is a WONTFIX then it's ok, I dont care (actually, I prefer if this is wontfix, more sandbox escaping fun) What I'm reporting is that its just unexpected that doing virtualElement.innerHTML=something is going to execute something (asw ell in setAttribute). you can bypass this if you hold all the nodes in a node with a namespace. return document.createElementNS("http://sirdarckcat.net/","thing"); greetz!!
Reporter | ||
Comment 1•15 years ago
|
||
Oh, and FWIW, WebKit team is fixing a similar bug https://bugs.webkit.org/show_bug.cgi?id=26825
Reporter | ||
Comment 3•15 years ago
|
||
? this is not a crash dude..
you're an idiot dude. "Mozilla crashed. You suck! " don't write that if you don't mean it.
Reporter | ||
Comment 5•15 years ago
|
||
hahahahahahahahahaha https://bugzilla.mozilla.org/enter_bug.cgi?product=Core&format=guided#short_desc Bad example: Mozilla crashed. You suck! Good example: After a crash which happened when I was sorting in the Bookmark Manager, all of my top-level bookmark folders beginning with the letters Q to Z are no longer present.
Reporter | ||
Updated•15 years ago
|
Summary: javascript code execution on event handlers on nodes that aren't appended to a document → THIS IS NOT A CRASH - javascript code execution on event handlers on nodes that aren't appended to a document
Comment 6•15 years ago
|
||
(In reply to comment #1) > Oh, and FWIW, WebKit team is fixing a similar bug > https://bugs.webkit.org/show_bug.cgi?id=26825 That is not about img. Note, one can create/load image element also using "var img = new Image(); img.src = 'url_to_image';" syntax, and that has been used for *years* to preload images before using them in the document.
Reporter | ||
Comment 7•15 years ago
|
||
what is being fixed in webkit is that code execution is allowed on a DOM not appended to a document. anyway, as you state image preloading will be broken if this is fixed.. so, wontfix sounds as a sweeeeeeeeeeeeeeeet solution haha :)
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → WONTFIX
html5 documents this, and indeed changing this would break the web :)
Resolution: WONTFIX → INVALID
Summary: THIS IS NOT A CRASH - javascript code execution on event handlers on nodes that aren't appended to a document → javascript code execution on event handlers on nodes that aren't appended to a document
Reporter | ||
Comment 9•15 years ago
|
||
I just realized that this is done by firefox's source code at the moment of making "view-generated source code". So, a new Node (not appended to a document) is created and then to it is appended the code from the webpage, so when it tries to get the source code it executes the event.
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---
Reporter | ||
Comment 10•15 years ago
|
||
Select the image, right click and select "view selection source"
Comment 11•15 years ago
|
||
(In reply to comment #10) > Created an attachment (id=386938) [details] > Testcase, Select the image, right click and select "view selection source" > > Select the image, right click and select "view selection source" That is a different bug, nothing to do with this one.
Comment 12•15 years ago
|
||
Agreed, totally different issue (context menu executes cloneNode(true) on the container node of the selection). This issue is still WONTFIX, the other might actually be worth looking into - if reported separately.
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago → 15 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•