Multiple XSS vulnerabilities from character encoding
- March 25, 2008
- Alexey Proskuryakov, Yosuke Hasegawa, Simon Montagu
- Firefox, SeaMonkey, Thunderbird
- Fixed in
- Firefox 220.127.116.11
- SeaMonkey 1.1.8
- Thunderbird 18.104.22.168
WebKit developer Alexey Proskuryakov reported that the Mozilla HTML parser treated the backspace character as whitespace contrary to the HTML specification and different from other browsers. This difference might lead to Cross-site Scripting (XSS) risks on sites which filtered input in accordance with the specification.
Yosuke Hasegawa reported a flaw in the way Mozilla parses the control character 0x80 under Shift_JIS encoding. This flaw could potentially be used to evade web-site input filters and result in a XSS attack hazard. While investigating, Mozilla developer Simon Montagu discovered several variants of this flaw involving zero-length non-ASCII sequences in ISO-2022-JP, ISO-2022-CN, ISO-2022-KR, and HZ-GB-2312.
These flaws were fixed in and prior to Firefox 22.214.171.124 but the announcement was held until other browser vendors could fix related flaws.