UTF-7 XSS by overriding document charset using <object> type attribute

ID MFSA2010-61
Type mozilla
Reporter Mozilla Foundation
Modified 2010-09-07T00:00:00


Security researchers David Huang and Collin Jackson of Carnegie Mellon University CyLab (Silicon Valley campus) reported that the type attribute of an <object> tag can override the charset of a framed HTML document, even when the document is included across origins. A page could be constructed containing such an <object> tag which sets the charset of the framed document to UTF-7. This could potentially allow an attacker to inject UTF-7 encoded JavaScript into a site, bypassing the site's XSS filters, and then executing the code using the above technique.