Open
Bug 1636133
Opened 5 years ago
Updated 4 years ago
registerProtocolHandler() registered URLs cannot contain U+0000 NULL (%00)
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
People
(Reporter: annevk, Unassigned)
References
(Blocks 1 open bug)
Details
navigator.registerProtocolHandler("web+cat", "/%s");
<a href=web+cat:%00>test</a>
This results in an error of sorts, but it works in Chrome and it doesn't seem particularly dangerous either way. Notable if the attacker knows the endpoint they could invoke it directly with %00 (rather than %2500 as this would end up doing).
|
||
Updated•5 years ago
|
Severity: -- → S3
status-firefox75:
--- → affected
status-firefox76:
--- → affected
status-firefox77:
--- → affected
status-firefox78:
--- → affected
|
Reporter | |
Comment 1•4 years ago
|
||
I suggest that we also look into U+0022 and U+0060 as part of this, as they end up percent-encoded twice. https://github.com/whatwg/html/pull/5524 tightens the specification. https://github.com/web-platform-tests/wpt/pull/23504 has relevant manual tests.
You need to log in
before you can comment on or make changes to this bug.
Description
•