Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tainted flag propagation through Function's constructor #10

Closed
dmitris opened this issue Mar 8, 2013 · 1 comment
Closed

tainted flag propagation through Function's constructor #10

dmitris opened this issue Mar 8, 2013 · 1 comment

Comments

@dmitris
Copy link
Collaborator

dmitris commented Mar 8, 2013

I believe the following case is missing - wonder if it is something we should add:

var s = String.newTainted("foo"); // "foo" will be potential attack payload
s.tainted; // true
var f = new Function("", "return '" + s + "';");
var x = f();   // x is now "foo", but...
x.tainted; // currently false - I believe should be true to avoid losing the propagation of the tainted flag, right?
@wisec
Copy link
Owner

wisec commented Mar 8, 2013

Actually it's the expected behaviour.
In fact, it's like executing

 return 'foo';

and not

return taintedString;

Your case is covered by the Stored String Taint Propagation.
http://blog.mindedsecurity.com/2012/10/stored-dom-based-cross-site-scripting.html

@wisec wisec mentioned this issue Mar 8, 2013
Closed
@wisec wisec closed this as completed Jan 9, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dmitris @wisec