Odd XSS quirk in google videos

I don’t think this is exploitable, but here’s the details that I reported to google…

Bug with your XSS filters.

when viewing a view, you have a bar down the right hand side of the screen.
There is a bug in what I presume is your cross site scripting filter.

When it encouters a ‘ (single quote) within a string, it generates undesired results.

For example:
<a href=”/videoplay?docid=2421984664875201064″ onclick=’setSessionCookie(VP_playlistCookieName, “…,”, VP_cookieDomain); setSessionCookie(VP_playlistIndexCookieName, -1, VP_cookieDomain);’ title=”Steve Irwin How I” d=”” like=”” to=”” be=”” remembered=””>Steve Irwin How I’d Like to…</a>

Notice how the ‘title’ attribute of the <a> tag has been formatted, causing the title string to be formatted as additional attributes to the <a> tag

Last time a friend found a bug and reported it, it took a shockingly long time for google to fix it …

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.