XSSAuditor must match raw page content for animate tags.
Otherwise it is vulnerable to an entity bypass. The fix to bug 384077 solved the otherwise difficult problem of finding a match endpoint by using decoded data to find an actual semicolon, which solved one problem but resulted in this issue. To do these accurately, we'd need an HTMLSourceTracker than can track the position of each decoded byte within a value back to the raw content, rather than just the start and end position. Doing this would be expensive. So just stop at any semicolon in the attribute. I'd worried that this would not give enough signal, but we are already checking for an animate tag containing a javascript: URL, which is likely only ever used by the bad guys. Tweak the one existing testcase to cover the variation involving entities. Two other existing testcases show that we don't re-introduce 384077. I'd deferred fixing this hoping for animate to be deprecated, but those plans are on hold. Bug: 517547 Change-Id: Ib63dbdc691f11b143dc6e2fdd4b4232cfdf9629d Reviewed-on: https://chromium-review.googlesource.com/599045Reviewed-by:Mike West <mkwst@chromium.org> Commit-Queue: Tom Sepez <tsepez@chromium.org> Cr-Commit-Position: refs/heads/master@{#491771}
Showing
Please register or sign in to comment