rjatkins / owaspantisamy

Automatically exported from code.google.com/p/owaspantisamy
0 stars 0 forks source link

<style type="text/javascript> allowed #124

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?

Input   <style type="text/javascript>...</style>

with the following policy rule

        <tag name="style" action="validate">
            <attribute name="type">
                <literal-list>
                    <literal value="text/css"/>
                </literal-list>
            </attribute>
            <attribute name="media"/>
        </tag>

What is the expected output? What do you see instead?
<style>...</style>

What version of the product are you using? On what operating system?
1.4.5 java SAX parser, also the smoketest with anythinggoes policy

Please provide any additional information below.
a style tag with a javascript mime type is a valid attack vector fo NS4.

Original issue reported on code.google.com by b...@mobz.org on 12 Jan 2012 at 2:02

GoogleCodeExporter commented 9 years ago
This is a good candidate for the next minor release. Are there any devices or 
browsers in use today that use the NS4 engine that should make me consider a 
higher impact for this defect?

Original comment by arshan.d...@gmail.com on 23 Feb 2012 at 1:25