Mozilla Foundation Security Advisory 2008-13
Title: Multiple XSS vulnerabilities from character encoding Impact: Moderate Announced: March 25, 2008 Reporter: Alexey Proskuryakov, Yosuke Hasegawa, Simon Montagu Products: Firefox, Thunderbird, SeaMonkey
Fixed in: Firefox 220.127.116.11 Thunderbird 18.104.22.168 SeaMonkey 1.1.8 Description
WebKit developer Alexey Proskuryakov reported that the Mozilla HTML parser treated the backspace character as whitespace contrary to the HTML specification and different from other browsers. This difference might lead to Cross-site Scripting (XSS) risks on sites which filtered input in accordance with the specification.
Yosuke Hasegawa reported a flaw in the way Mozilla parses the control character 0x80 under Shift_JIS encoding. This flaw could potentially be used to evade web-site input filters and result in a XSS attack hazard. While investigating, Mozilla developer Simon Montagu discovered several variants of this flaw involving zero-length non-ASCII sequences in ISO-2022-JP, ISO-2022-CN, ISO-2022-KR, and HZ-GB-2312.
These flaws were fixed in and prior to Firefox 22.214.171.124 but the announcement was held until other browser vendors could fix related flaws. Workaround
* Character encoding XSS bugs * CVE-2008-0416