Last modified: 2014-01-14 07:24:32 UTC
Adding this to a page will execute javascript when clicked. This is a variant of http://html5sec.org/#9. <div title="data:text/html,<img src=1 onerror=alert(1)>" style="-o-link:attr(title);-o-link-source:current">Click Me</div> I can't see any good reason to allow -o-link in the style, since most browsers ignore it.
Created attachment 14095 [details] Disallow -o-link in styles
So you have verified this in a recent version of Opera? The link extensions have been removed from the Opera documentation, but you can find them in IA: <https://web.archive.org/web/20030602071146/http://www.opera.com/docs/specs/#xml-css-link> opera.com still hosts documentation for Opera 7, which was the current version at the time of that archive, but it seems they later decided to edit out all mention of that feature. Maybe if -o-link still exists, then -o-replace may also still exist? It should probably be blacklisted also.
I verified it with 12.15, it looks like 12.16 is the most current. -o-replace gives me an unknown property error, but probably best to blacklist it too, just in case.
Created attachment 14109 [details] Disallow -o-link in styles Forbid -o-replace too
Well, Opera 12.16 is the most current, ... of the Presto branch (which is no longer advertised). Since early 2013, Opera has been reimplemented using Chromium (Blink, V8, etc.). First beta (Opera 15, version 13/14 were skipped) in May 2013, and gone stable since. They're up to Opera 18 already, and do have auto-updating. However Opera 12 does not auto-update to Opera >= 15, so Opera 12 continues to have a fair browser share for now (seems good to support, especially when relatively inexpensive and in the interest of security).
Looks good.
This has been assigned CVE-2013-6454
Created attachment 14264 [details] Disallow -o-link in styles (1.19 branch)
Created attachment 14265 [details] Disallow -o-link in styles (1.21 branch)
Created attachment 14266 [details] Disallow -o-link in styles (1.22 branch)