Nghĩa Đào Trọng Nghĩa Đào Trọng - 10 months ago 22
Javascript Question

Escaped Script tag inside a Select box option (Chrome)

I have an HTML page which contains a dropdownlist .

<option >1</option>
<option >2</option>
<option >3</option>
<option >&lt;script&gt;alert('XSS')&lt;/script&gt;</option>

In Chrome the select box won't open.

When I open it in FireFox, the dropdownlist opens, but in Chrome it does not.

Fiddle link :


Chrome has a feature that can be turned off by setting this flag in your Chrome (icon) > Properties Target path:

...ome.exe" --disable-web-security

Despite that, what you're trying will suffer from this goods:

CSP Level 2 offers backward compatibility for inline scripts by allowing you to whitelist specific inline scripts using either a cryptographic nonce (number used once) or a hash

So you might want probably to create a .json manifest with "unsafe-inline" property that has that exact (unescaped) script converted in SHA256

<script>alert('XSS')</script> // >> convert it to SHA256

Content-Security-Policy: script-src 'sha256-sha256-41f152968d8d75de3055b59b194f3a5a993b65b06c1586d7dda9d73be115271d'

or using a nonce property:

&lt;script nonce=a3afdc68d2731d5187f58e833610c951&gt;alert('XSS')&lt;/script&gt;

must match your manifest's script-src:

Content-Security-Policy: script-src 'nonce-a3afdc68d2731d5187f58e833610c951'

So Chrome will not allow you to perform as you might expect with inline scripts
(test using &lt;span&gt; and it'll work!) without you knowing exactly the madness you're doing.
BTW, no element is allowed into option tag, escaped or not, so Chrome is really smart about it. Specially regarding XSS prevention.