You are here: Known Vulnerabilities in Mozilla Products (Firefox 220.127.116.11) > MFSA 2008-13
Mozilla Foundation Security Advisory 2008-13
Title: Multiple XSS vulnerabilities from character encoding
Announced: March 25, 2008
Reporter: Alexey Proskuryakov, Yosuke Hasegawa, Simon Montagu
Products: Firefox, Thunderbird, SeaMonkey
Fixed in: Firefox 18.104.22.168
WebKit developer Alexey Proskuryakov reported that the Mozilla HTML parser treated the backspace character as whitespace contrary to the HTML specification and different from other browsers. This difference might lead to Cross-site Scripting (XSS) risks on sites which filtered input in accordance with the specification.
Yosuke Hasegawa reported a flaw in the way Mozilla parses the control character 0x80 under Shift_JIS encoding. This flaw could potentially be used to evade web-site input filters and result in a XSS attack hazard. While investigating, Mozilla developer Simon Montagu discovered several variants of this flaw involving zero-length non-ASCII sequences in ISO-2022-JP, ISO-2022-CN, ISO-2022-KR, and HZ-GB-2312.
These flaws were fixed in and prior to Firefox 22.214.171.124 but the announcement was held until other browser vendors could fix related flaws.