User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36
Steps to reproduce:
The file browser/components/preferences/sync.js and identified that the _getEntryPoint() method parses document.URL directly to extract the entrypoint query parameter, which is then passed to FxAccounts.config.promiseConnectAccountURI() and promiseManageURI(). The resulting URL is inserted into the DOM via element.setAttribute("href", ...) without validation or sanitization.
Key code:
let params = new URLSearchParams(document.URL.split("#")[0].split("?")[1] || "");
return params.get("entrypoint") || "preferences";
This value is later used in:
.setAttribute("href", accountsManageURI);
.setAttribute("href", connectURI);
example url but it does not display an alert because it is about:// and it does not allow the javascript code to be executed
about:preferences?entrypoint=javascript:alert(1)#sync
In simple words, you should just remove the domxss vulnerability, even though it is not feasible, but the code itself is vulnerable to it.
Actual results:
The parameter entrypoint is inserted directly into the DOM without being validated or sanitized. While Firefox currently blocks javascript: URLs in most privileged contexts like about:preferences, the flow still qualifies as DOM-based XSS because:
Untrusted user-controlled input flows to a dangerous DOM sink.
This creates a security smell and future risk.
Expected results:
Input such as entrypoint should be strictly validated against a whitelist of expected values (e.g., "preferences", "sync", etc.) before being used in any DOM insertion, especially in sensitive attributes like href.
Bug 1959298 Comment 0 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36
Steps to reproduce:
The file browser/components/preferences/sync.js and identified that the _getEntryPoint() method parses document.URL directly to extract the entrypoint query parameter, which is then passed to FxAccounts.config.promiseConnectAccountURI() and promiseManageURI(). The resulting URL is inserted into the DOM via element.setAttribute("href", ...) without validation or sanitization.
Key code:
```js
let params = new URLSearchParams(document.URL.split("#")[0].split("?")[1] || "");
return params.get("entrypoint") || "preferences";
```
This value is later used in:
```js
.setAttribute("href", accountsManageURI);
.setAttribute("href", connectURI);
```
example url but it does not display an alert because it is about:// and it does not allow the javascript code to be executed
`about:preferences?entrypoint=javascript:alert(1)#sync`
In simple words, you should just remove the domxss vulnerability, even though it is not feasible, but the code itself is vulnerable to it.
Actual results:
The parameter entrypoint is inserted directly into the DOM without being validated or sanitized. While Firefox currently blocks javascript: URLs in most privileged contexts like about:preferences, the flow still qualifies as DOM-based XSS because:
Untrusted user-controlled input flows to a dangerous DOM sink.
This creates a security smell and future risk.
Expected results:
Input such as entrypoint should be strictly validated against a whitelist of expected values (e.g., "preferences", "sync", etc.) before being used in any DOM insertion, especially in sensitive attributes like href.