We've tried out the suggestion of trying to sanitize the key values of entities in DTD files, but using DOMPurify we're seeing a lot of changes for benign content, such as removal of useless empty markup <p></p>, Converting & to &, making double quotes ", and changing double-quotes to single etc. Simply looking for changes of sanitized vs unsanitized is going to create a lot of false positives without additional filtering. In addition the context that DOMPurify is sanitizing for is HTML and it's not clear that is always the right context since we don't know anything about where the strings are consumed. See the attachment for an example of the differences generated from running against the en langpack from AMO. Instead of trying to block based on santization differences, :mat (cc'd) is going to work on looking at blocking 3rd party langpacks from being uploaded for old FF versions as per comment 10. Additionally we will work on auditing existing langpacks using the tool above to pin-point anything that was removed, since that will certainly help narrow down what we need to look through.
Bug 1563327 Comment 12 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
We've tried out the suggestion of trying to sanitize the key values of entities in DTD files, but using DOMPurify we're seeing a lot of changes for benign content, such as removal of useless empty markup <p></p>, Converting & to &, making double quotes ", and changing double-quotes to single etc. Simply looking for changes of sanitized vs unsanitized is going to create a lot of false positives without additional filtering. In addition the context that DOMPurify is sanitizing for is HTML and it's not clear that is always the right context since we don't know anything about where the strings are consumed. See the attachment for an example of the differences generated from running against the en langpack from AMO. Instead of trying to block based on santization differences, :mat (cc'd) is going to work on looking at blocking 3rd party langpacks from being uploaded for old FF versions as per comment 10. Additionally we will work on auditing existing langpacks using the tool above to pin-point anything that was removed by the sanitization, since that will certainly help narrow down what we need to look through.
We've tried out the suggestion of trying to sanitize the key values of entities in DTD files, but using DOMPurify we're seeing a lot of changes for benign content, such as removal of useless empty markup <p></p>, Converting `&` to `&`;, making double quotes `"`, and changing double-quotes to single etc. Simply looking for changes of sanitized vs unsanitized is going to create a lot of false positives without additional filtering. In addition the context that DOMPurify is sanitizing for is HTML and it's not clear that is always the right context since we don't know anything about where the strings are consumed. See the attachment for an example of the differences generated from running against the en langpack from AMO. Instead of trying to block based on santization differences, :mat (cc'd) is going to work on looking at blocking 3rd party langpacks from being uploaded for old FF versions as per comment 10. Additionally we will work on auditing existing langpacks using the tool above to pin-point anything that was removed by the sanitization, since that will certainly help narrow down what we need to look through.