Status: New
Owner: ----
New issue 2327 by [email protected]: Incorrect handling of CDATA
sections
http://code.google.com/p/v8/issues/detail?id=2327
While developing a low-interaction honeyclient
(https://github.com/buffer/thug) which makes use of V8 as Javascript engine
I identified what seems to be an incorrect handling of CDATA sections in
V8. The following snippet was identified on a malicious page
<script type="text/javascript">
/* <![CDATA[ */
(function() {
try {
var s, a, i, j, r, c, l = document.getElementById("__cf_email__");
a = l.className;
if (a) {
s = '';
r = parseInt(a.substr(0, 2), 16);
for (j = 2; a.length - j; j += 2) {
c = parseInt(a.substr(j, 2), 16) ^ r;
s += String.fromCharCode(c);
}
s = document.createTextNode(s);
l.parentNode.replaceChild(s, l);
}
} catch (e) {}
})(); /* ]]> */
< /script>
Please consider that a.length is odd thus resulting in a never-ending for
loop.
The real question is why the code in the CDATA section is executed in the
first place? As far as I know data within such section should be ignored by
the parser thus leading to an empty content tag in this case but it seems
it's not so.
Am I missing something?
Additional information
buffer@alnitak ~/v8 $ svn info
Path: .
URL: http://v8.googlecode.com/svn/trunk
Repository Root: http://v8.googlecode.com/svn
Repository UUID: ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Revision: 12470
Node Kind: directory
Schedule: normal
Last Changed Author: [email protected]
Last Changed Rev: 12466
Last Changed Date: 2012-09-06 15:50:42 +0200 (Thu, 06 Sep 2012)
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
