Chromium developers has patched a parsing bug that could lead to XSS exploits, tracked as CVE-2022-0801, the medium-severity vulnerability is described as an inappropriate implementation in HTML parser. This bug was discovered by Michał Bentkowski, from Securitum.
The security researcher found the security flaw in the Chromium source code’s tree builders. There are two tree builders in use: html_tree_builder.cc and html_tree_builder_simulator.cc.
HTML is initially parsed with html_tree_builder and then parsed with html_tree_builder_simulator . As a result, if there is any discrepancy, this could trigger a cross-site scripting (XSS) vulnerability.
Html_tree_builder_simulator appears to be very short and simple, Unfortunately, it oversimplifies HTML parsing, and mishandles tokenizer state switching, leading to seemingly “impossible” DOM trees being created.
When content was parsed in the second DOM tree, an image tag was included outside of the original parse, leading to XSS.The vulnerability was originally described as a mutation XSS, a form of XSS caused by differences in how browsers interpret code.
Once a developer inferred the bug could be considered a universal XSS – a flaw exploited through vulnerable client-side browsers. The Chrome Vulnerability Reward Program (VPR) awarded Bentkowski $5,000 for his report.
A patch has been issued to resolve the security flaw in Chrome 99.0.4844.51 by enabling the ForceSynchronousHTMLParsing feature by default. Microsoft has also implemented the fix for the Chromium-based Microsoft Edge browser.