Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handle mXSS bypass #108

Closed
wants to merge 1 commit into from
Closed

Handle mXSS bypass #108

wants to merge 1 commit into from

Conversation

weizman
Copy link
Member

@weizman weizman commented Jun 21, 2023
edited
Loading

Attempt to fix #91, inspired by @mmndaniel's #106

#106 attempts to use XMLSerializer which after some research fucks up html result and injects some syntax errors.

Running:

const html = `
<iframe onload="top.bypass([this.contentWindow]);"></iframe>
<script>setTimeout(() => top.bypass([window]), 1000)</script>
`;
const template = document.createElement('html');
template.innerHTML = html;
new XMLSerializer().serializeToString(template);

Returns:

'<html xmlns="http://www.w3.org/1999/xhtml"><head></head><body><iframe onload="top.bypass([this.contentWindow]);"></iframe>\n\x3Cscript>setTimeout(() =&gt; top.bypass([window]), 1000)\x3C/script>\n</body></html>'
template.innerHTML

See how the content of the script tag is ruined.

Luckily, replacing the usage of XMLSerializer with a simple innerHTML setter seems to do the trick, god knows why...

@weizman weizman mentioned this pull request Jun 21, 2023
Closed
@weizman
Copy link
Member Author

weizman commented Jul 17, 2023

ending up with #123

@weizman weizman closed this Jul 17, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Bypass using mXSS
1 participant
@weizman