Failing to flag a simple source

[GoogleCodeExporter]

DOMSnitch is not catching a simple test where location.search.substring(1); 
makes it's way to an innerHTML.

Test case is up here http://nottrusted.com/test/dom.html?x=y

Or to get an onmouseover event in: 
http://nottrusted.com/test/dom.html?x=aa%3Ca%20href%3d%27a%27%20onmouseover=%27a
lert%281%29%27%3Eref%3C/a%3E

I used DOMinator which caught this and expected DOMSnitch to do the same.  

Original issue reported on code.google.com by [email protected] on 8 Jul 2011 at 9:46

[GoogleCodeExporter]

This is due to a race condition between when DOM Snitch can properly traverse 
the DOM tree (where everything is done via JavaScript without interacting 
directly with any debug functionality in the V8 engine) and inline JS being 
executed as part of parsing the HTML document. This is a known pain point and 
there are active development works to address this sort of things. Stay tuned!

Original comment by [email protected] on 9 Jul 2011 at 7:38

• Changed state: Accepted

[GoogleCodeExporter]

Thanks for the fast reply, and great work on DOMSniff keep it up!

Original comment by [email protected] on 12 Jul 2011 at 4:51

[GoogleCodeExporter]

The detection problem should be addressed in 0.717. However, there is more to 
be done in determining if it is exploitable.

Original comment by [email protected] on 1 Sep 2011 at 8:12