New issue 79014 by cocomon...@hotmail.com: Refused to execute a JavaScript
script. Source code of script found within request.
http://code.google.com/p/chromium/issues/detail?id=79014
Chrome Version : 12.0.725.0 (Official Build 80304) dev
URLs (if applicable) :
http://www.w3schools.com/js/tryit.asp?filename=tryjs_text
Other browsers tested:
Add OK or FAIL after other browsers where you have tested this issue:
Safari 5:
Firefox 4.x: OK
IE 7/8/9: OK
What steps will reproduce the problem?
1. Go to any of the JS Tryit Editor samples on W3Schools.com.
2. Optionally edit the code.
3. Press "Edit and Click Me >>" button.
What is the expected result?
In the right frame, the output of the code in the left frame should be
shown.
What happens instead?
The right frame becomes blank.
Please provide any additional information below. Attach a screenshot if
possible.
If code within requests were allowed to execute, this page would function
correctly.
As of 17.0.963.56 this has grown beyond just breaking on javascript source
references being the problem.
We have an <img src="" /> within a richtext editor. User presses "preview"
to see what the post would look like once parsed. A $_POST is sent and
away we go to see what the post would look like parsed. We also populate
editor again with the same content.
Now the existence of the <img src="" /> from the previous page is throwing
the infernal XSS error and disabling javascript on the page. This <img
src="" > is an element, not a string in a text node. It is displaying an
image in the text editor.
It is worse than I thought.
Say you have an editor and in your page source you have a script reference,
say
<script type="text/javascript"
src="https://www.vbulletin.com/forum/clientscript/vbulletin-core.js?v=4110c"></script>
Now say, within the editor you type:
src="https://www.vbulletin.com"
Or even better, your editor has an image in it like
<img src="https://www.vbulletin.com/me.png" />
Now you preview, and bang, javascript is dead because Chrome insists on ANY
usage of src="yourdomain" appearing in the request means that an XSS has
been triggered.
Previously I would have to have this in my request to trigger the problem:
src="https://www.vbulletin.com/forum/clientscript/vbulletin-core.js?v=4110c">
Now you've pared it down to just this
src="https://www.vbulletin.com">
It is worse than I thought.
Say you have an editor and in your page source you have a script reference,
say
<script type="text/javascript"
src="https://www.vbulletin.com/forum/clientscript/vbulletin-core.js?v=4110c"></script>
Now say, within the editor you type:
src="https://www.vbulletin.com"
Or even better, your editor has an image in it like
<img src="https://www.vbulletin.com/me.png" />
Now you preview, and bang, javascript is dead because Chrome insists on ANY
usage of src="yourdomain" appearing in the request means that an XSS has
been triggered.
Previously I would had to have this in my request to trigger the problem: