Opera Browser Vulnerable To UTF-8 Whitespace Characters
16 Sep. 2008
Summary
Opera released version 9.52 of their flagship browser about a month ago to address an issue in the way certain Unicode characters were being interpreted as white space. This behavior enabled cross-site scripting (XSS) attacks which might not otherwise be possible. Perhaps exploiting this issue would also be useful to evade HTML filters, AV's, WAFs, or other detection systems which try to prevent XSS attacks.
The Unicode spec assigns binary property meta-data to code points, one of which is the 'white_space' property. In Opera's case, we could use almost any character with a Unicode white_space property to represent a normal whitespace character like U+0020.
The following code points all get treated as a space. Making things like:
<a href=#[U+180E]onclick=alert()>
possible. This list includes many of the Unicode code points with the white_space property:
U+2002 to U+200A
U+205F
U+3000
U+180E Mongolian Vowel Separator
U+1680 Ogham Space Mark
