Bypass with multiple doc.write calls #116
Comments
|
related: bypass with multiple arguments to doc.write |
|
wow, mental. Given there is Line 33 in 48ec98b .innerHTML, could the same be applied here by hooking into contentDocument.write?
Basically this snippet fixes it and maybe can be generalized. var f = document.createElement('iframe');
document.body.appendChild(f);
fix(f) // should be done by patched `.appendChild`
f.contentDocument.write('<iframe id="tst');
f.contentDocument.write('"></iframe><script>tst.contentWindow.alert(1);</script>');
function fix (f) {
var old_write = f.contentDocument.write
var content = ''
const parser = document.createElement('div')
f.contentDocument.write = patched_write
function patched_write (...args) {
content += args.join('')
parser.innerHTML = content
const iframes = [...parser.querySelectorAll('iframe')]
if (iframes.length) {
f.contentDocument.close()
iframes.forEach(iframe => {
var [s1, s2] = [
`console.log('apply snow to iframe')`,
`tst.contentWindow.alert = (...args) => console.log(...args)`
].map(s => Object.assign(document.createElement('script'), { textContent: `${s}` }))
iframe.before(s1)
iframe.after(s2)
})
console.log('fuck')
console.log(parser.children)
old_write.apply(f.contentDocument, [parser.innerHTML])
} else {
old_write.apply(f.contentDocument, args)
}
}
} |
|
@serapath yes, something like that, the main points are that I found it the hard way when an attempted fix broke a similar test... |
|
yes, and #80 (comment) |
|
Sorry to ruin the party guys, but with the help of #118 we might not need to dig too deep into this (thanks for the help!) |
What happens is that
document.writecalls are buffered, buthandleHTMLsees only one chunk at a time so it won't find anything inside thetemplate.The text was updated successfully, but these errors were encountered: