The code doesn't execute on Chrome59 while it does on Canary. Anyone knows why? Some kind of builtin protection against this kind of attack?pic.twitter.com/KQE6DmnHVq
You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. You always have the option to delete your Tweet location history. Learn more
Thanks! That's definitely this. It might be a little bit too restrictive though, as src="data:,alert(1)<script" also get blocked.
Oh, and I think I found a bypass: just use duplicate attributes name.
https://jsbin.com/niwopidote/edit?html,output …
CC: @mikewestpic.twitter.com/qZV9t9ZBve
Awesome, this is a great bypass! Maybe @mikewest can still patch it up before this reaches stable. Find more! :)
Ugh. Clever. I guess I need to go change the parser code. :/ Would one of you mind filing a bug so I don't forget about this?
I'd love too but not sure where. In Chromium tracker as a Security issue?
Sounds about right; CCing @mikewest should do it :)
"This is a tiny bug!", I thought much earlier this morning. *sigh* https://chromium-review.googlesource.com/c/566822/ is out for review.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.