Today, Hong emailed me with yet another Google XSS vulnerability. This time it is in the way Google’s filtering engines work to protect its users from malicious HTML in the Google documents. I’ve seen this exact hole a number of times in sites that allow WYSIWYG editors. Unfortunately, just because it’s rendered, it doesn’t make it safe. Things like that are also often vulnerable to iframe injection as well. Here’s his email. Edited only for formatting.
I find out a hole in Google Docs XSS filter. Google Docs does not know how textarea works, If we inject the following HTML code to the document.
<textarea><a href=" http://www.site.com/
Google XSS filter does not filter out <script>alert('xss')</script> due to
they inside a html tag encapsulation. But in fact browser treats <a href="http://www.site.com/ as plain text inside textarea, then run the script follow it.
Google has had a pretty terrible track record when it comes to these vulnerabilities, as have many other sites of this complexity, and this represents a few failings. Firstly, understanding what HTML looks like, and secondly understanding that rich HTML can jump out of itself in weird ways when you just throw user text in the middle of your page. Hopefully they fix this one quickly.