Element HTML content can be incorrectly returned without escaping, bypassing some HTML sanitizers

2012-08-01T00:00:00
ID OPERA:1025
Type opera
Reporter Opera
Modified 2012-08-01T00:00:00

Description

When sites accept HTML from untrusted users, and use that HTML as page content, they typically sanitize the untrusted HTML to ensure that it does not contain any harmful content, such as malicious scripts. In some cases, this sanitization may be performed by writing and reading the contents of DOM elements. In certain situations, Opera may return the HTML contents of an element without correctly escaping all of the characters that denote HTML markup, allowing them to fool the sanitizer, so that they are subsequently interpreted as markup after being inserted into the page. This can then be used to facilitate cross-site scripting (XSS) attacks against Opera, without being detected by a sanitizer.