17689 2008-03-05 15:57:23 -0800 Reject long UTF sequences 2023-04-01 00:23:09 -0700 1 1 1 Unclassified WebKit WebKit Misc. 528+ (Nightly build) PC Windows XP RESOLVED INVALID P3 Normal --- 0 jasneet webkit-unassigned annevk ap jasneet sam oldest_to_newest 72856 0 jasneet 2008-03-05 15:57:23 -0800 Webkit issue: UTF standards require parsers to reject sequences that were encoded using more bytes than absolutely necessary (for example, standard 7-bit characters encoded as 2 or 4-byte strings, e.g. &#0000106, either as a binary value or a HTML entity). Modify the renderer to reject such characters, as they have no legitimate use, but are routinely abused to carry out cross-site scripting attacks (attempts to close HTML tags and inject code, when obfuscated this way, routinely bypass filters). 72875 1 19565 ap 2008-03-05 22:58:38 -0800 Created attachment 19565 test case (works as expected) Yes, our decoder does reject non-shortest UTF forms in all cases I'm aware of. Do you have a specific example of the problem? 75012 2 20014 jasneet 2008-03-24 15:07:57 -0700 Created attachment 20014 reduction 75013 3 jasneet 2008-03-24 15:08:30 -0700 Looks like the only remaining worrisome case is multibyte HTML entities. These could be used to bypass filters that differentiate between absolute and relative URLs, and apply restrictions based on this distinction: <a href="javascript&#x0000003aalert(1)">Long HTML entity notation might be used to bypass some URL filters</a> This is not strictly a browser bug, but it has no legitimate uses, and is a common XSS vector against applications, so locking it down is certainly beneficial. 75082 4 ap 2008-03-25 00:26:08 -0700 In this example, the entity is not only long, but it is not terminated with a semicolon. As such, it is covered by bug 4948. I am not aware of any reason to reject "&#x0000003a;", though - other browsers handle this just fine, and standards do not disallow it AFAIK. 1945923 5 annevk 2023-04-01 00:23:09 -0700 Indeed, this behavior is covered by the HTML Standard. 19565 2008-03-05 22:58:38 -0800 2008-03-05 22:58:38 -0800 test case (works as expected) non-shortest.html text/html 87 ap PG1ldGEgY2hhcnNldD0idXRmLTgiPjxwPlNob3VsZCBoYXZlIGEgcmVwbGFjZW1lbnQgY2hhcmFj dGVyIGluIHRoZSBtaWRkbGU6ICIvwK4uLyI8L3A+ 20014 2008-03-24 15:07:57 -0700 2008-03-24 15:07:57 -0700 reduction test.htm text/html 140 jasneet PGh0bWw+PGJvZHk+DQo8YSBocmVmPSJqYXZhc2NyaXB0JiN4MDAwMDAwM2FhbGVydCgxKSI+TG9u ZyBIVE1MIGVudGl0eSBub3RhdGlvbiBtaWdodCBiZSB1c2VkIHRvIGJ5cGFzcyBzb21lIFVSTCBm aWx0ZXJzPC9hPg0KPC9ib2R5PjwvaHRtbD4=