[Android] HTML Injection in BatterySaveArticleRenderer WebView

Disclosed: 2018-10-22 19:51:14 By bobrov To brave
High
Vulnerability Details
## Summary: HTML Injection in BatterySaveArticleRenderer WebView. ## Products affected: * Android Brave Browser 1.9.56 ## Steps To Reproduce: * Open https://blackfan.ru/brave or html ```html <script> location="https://www.google.com/search?q=</title><h1><marquee><s>Injection<!--" </script> ``` * Wait for a full load * Click on ArticleModeButton ## Supporting Material/References: Vulnerable code: ```java public class aot ... // s7 == title if(s7 != null) { s4 = (new StringBuilder()).append(s5).append("<title>").append(s7).append("</title>").toString(); s1 = (new StringBuilder()).append(s6).append("<p style=\"font-size:").append(s1).append(";line-height:120%;font-weight:bold;margin:").append(s3).append(" 0px 12px 0px\">").append(s7).append("</p>").toString(); ... // s8 == authorName if(s8 != null) s1 = (new StringBuilder()).append("<span class=\"nowrap\"><b>").append(s8).append("</b>,</span> ").toString(); ```
Actions
View on HackerOne
Report Stats
  • Report ID: 176065
  • State: Closed
  • Substate: resolved
  • Upvotes: 41
Share this report