dominator doesn't pick up on domxss that "do not work in firefox TM"

[GoogleCodeExporter]

So I was playing with dominator with some software seeing if it would catch 
onto anything. Well it didn't but I did (in chrome). 
The code flow to the domxss was something like this --->

var something = location.href.split("#")[1] || "" ;
^ now if location.href is like this -->

$uri#l\\alert(1);alert(2);//<input>
then in firefox(6) the value of something is 
"l\\alert(1);alert(2);//%3Cinput%3E"
but in chrome(14) it is 
"l\\alert(1);alert(2);//<input>"

the variable something was then given to a few functions ....
before finally ending up used in a jquery selection like this
("#" + something + "[foo=" + something +"]").

So in chrome with a hash of <video src="WATVIDEO??" onerror=alert(1)> ends 
tripping the domxss (to show an alert dialogue with the number one in it)
but in firefox - nothing happens and so, dominator failed to detect the domxss 
:/

Original issue reported on code.google.com by db.pub.m...@gmail.com on 16 Sep 2011 at 4:36

[GoogleCodeExporter]

The line:
("#" + something + "[foo=" + something +"]").
Should have been:
$("#" + something + "[foo=" + something +"]").

Original comment by db.pub.m...@gmail.com on 16 Sep 2011 at 4:39

[GoogleCodeExporter]

Thanks for reporting this.

About the "'<>.etc.. escaping in DOMinator you're right.
I'll add the unescaped location feature in the next release.

About the possibility of adding html5 tags, of course depends on the browser 
implementing it.
As you know, the detection of a DOM Xss (row in alert tab) is different from 
executing the Xss in the browser itself.

Thanks

Original comment by stefano....@gtempaccount.com on 19 Sep 2011 at 5:47

• Changed state: Accepted