I'll note that the sandbox escape here is only possible using DTDs sourced from privileged content. The about:telemetry example from comment #0 won't work on nightly after the patch in https://bugzilla.mozilla.org/show_bug.cgi?id=1523741 is finished up and lands. Although :kmag's link in comment #21 has 200+ hits, most of them don't fit this bill either (e.g. netError is only loaded in unprivileged docs). We could fix up the remaining hits in browser.dtd and then pretty easily enforce that HTML entities in DTDs loaded in the parent process get escaped. This should be much less work than converting all of these, esp. because we apparently need more fluent changes to convert neterror to fluent (cf. https://bugzilla.mozilla.org/show_bug.cgi?id=1484955#c3 ).
Bug 1538007 Comment 26 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
I'll note that the sandbox escape here is only possible using DTDs sourced from privileged content. The about:telemetry example from comment #0 won't work on nightly after the patch in https://bugzilla.mozilla.org/show_bug.cgi?id=1523741 is finished up and lands. Although :kmag's link in comment #21 has 200+ hits, most of them don't fit this bill either (e.g. netError is only loaded in unprivileged docs). We could fix up the remaining hits in browser.dtd and then pretty easily enforce that the standard set of [&<>'"] things in DTDs loaded in the parent process get escaped. This should be much less work than converting all of these, esp. because we apparently need more fluent changes to convert neterror to fluent (cf. https://bugzilla.mozilla.org/show_bug.cgi?id=1484955#c3 ).