Mozilla Foundation Security Advisory 2008-67
Title: Escaped null characters ignored by CSS parser
Announced: December 16, 2008
Reporter: Kojima Hajime
Products: Firefox, Thunderbird, SeaMonkey
Fixed in: Firefox 3.0.5
Kojima Hajime reported that unlike literal null
characters which were handled correctly, the escaped form '
was ignored by the CSS parser and treated as if it was not present in
the CSS input string. This issue could potentially be used to bypass
script sanitization routines in web applications. The severity of
this issue was determined to be low.