Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(315)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: LayoutTests/http/tests/security/xssAuditor/resources/echo-intertag.pl

Issue 205243002: XSSAuditor bypass with script tag and expression following injection point (Closed) Base URL: svn://svn.chromium.org/blink/trunk
Patch Set: Incorporate dbates's suggestions. Created 6 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « no previous file | LayoutTests/http/tests/security/xssAuditor/script-tag-expression-follows.html » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 #!/usr/bin/perl -wT 1 #!/usr/bin/perl -wT
2 use strict; 2 use strict;
3 use CGI; 3 use CGI;
4 4
5 my $cgi = new CGI; 5 my $cgi = new CGI;
6 6
7 # Passing semicolons through the url to this script is problematic. The raw 7 # Passing semicolons through the url to this script is problematic. The raw
8 # form truncates the input and the %-encoded form isn't being decoded. Hence 8 # form truncates the input and the %-encoded form isn't being decoded. Hence
9 # this set of hard-coded headers. 9 # this set of hard-coded headers.
10 if ($cgi->param('disable-protection')) { 10 if ($cgi->param('disable-protection')) {
(...skipping 74 matching lines...) Expand 10 before | Expand all | Expand 10 after
85 print "</script>\n"; 85 print "</script>\n";
86 } 86 }
87 if ($cgi->param('inHead')) { 87 if ($cgi->param('inHead')) {
88 print "<head>\n"; 88 print "<head>\n";
89 } else { 89 } else {
90 print "<body>\n"; 90 print "<body>\n";
91 } 91 }
92 if ($cgi->param('replaceState')) { 92 if ($cgi->param('replaceState')) {
93 print "<script>history.replaceState({}, '', '#must-not-appear');</script>\n" ; 93 print "<script>history.replaceState({}, '', '#must-not-appear');</script>\n" ;
94 } 94 }
95 print $cgi->param('q'); 95 print $cgi->param('q'); # XSS reflected here.
96 if ($cgi->param('script-expression-follows')) {
97 print "\n <script>42;</script>\n";
98 }
96 if ($cgi->param('clutter')) { 99 if ($cgi->param('clutter')) {
97 print $cgi->param('clutter'); 100 print $cgi->param('clutter');
98 } 101 }
99 if ($cgi->param('q2')) { 102 if ($cgi->param('q2')) {
100 print $cgi->param('q2'); 103 print $cgi->param('q2');
101 } 104 }
102 if ($cgi->param('showAction')) { 105 if ($cgi->param('showAction')) {
103 print "<script>\n"; 106 print "<script>\n";
104 print " alert('Form action set to ' + document.forms[0].action);\n"; 107 print " alert('Form action set to ' + document.forms[0].action);\n";
105 print "</script>\n"; 108 print "</script>\n";
(...skipping 33 matching lines...) Expand 10 before | Expand all | Expand 10 after
139 } 142 }
140 if ($cgi->param('echo-report')) { 143 if ($cgi->param('echo-report')) {
141 print "<script src=/security/contentSecurityPolicy/resources/go-to-echo-repo rt.js></script>\n"; 144 print "<script src=/security/contentSecurityPolicy/resources/go-to-echo-repo rt.js></script>\n";
142 } 145 }
143 if ($cgi->param('inHead')) { 146 if ($cgi->param('inHead')) {
144 print "</head>\n"; 147 print "</head>\n";
145 } else { 148 } else {
146 print "</body>\n"; 149 print "</body>\n";
147 } 150 }
148 print "</html>\n"; 151 print "</html>\n";
OLDNEW
« no previous file with comments | « no previous file | LayoutTests/http/tests/security/xssAuditor/script-tag-expression-follows.html » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698