Mozilla Foundation Security Advisory 2008-67
Escaped null characters ignored by CSS parser
- December 16, 2008
- Kojima Hajime
- Firefox, SeaMonkey, Thunderbird
- Fixed in
- Firefox 126.96.36.199
- Firefox 3.0.5
- SeaMonkey 1.1.14
- Thunderbird 188.8.131.52
Kojima Hajime reported that unlike literal null
characters which were handled correctly, the escaped form '
was ignored by the CSS parser and treated as if it was not present in
the CSS input string. This issue could potentially be used to bypass
script sanitization routines in web applications. The severity of
this issue was determined to be low.