Bug 1584216 Comment 14 Edit History

Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.

### Beta/Release Uplift Approval Request
* **User impact if declined**: User could become a victim of XSS on a site that does XSS filtering in a manner that is just on the right side of safe spec-wise but that doesn't use reasonable XSS filtering practices that have more security margin, such as re-serializing the input as parsed by the XSS filter. In other words, the circumstances where bad things don't happen with the patch but do happen without the patch are rather narrow.
* **Is this code covered by automated tests?**: No
* **Has the fix been verified in Nightly?**: Yes
* **Needs manual test from QE?**: No
* **If yes, steps to reproduce**: 
* **List of other uplifts needed**: None
* **Risk to taking this patch**: Low
* **Why is the change risky/not risky? (and alternatives if risky)**: This is relatively unrisky, since the test case in the other patch tests the relevant cases rather well. Also, if this was to regress, it would unlikely be workflow-breaking for users, since this affects rare cases. (U+0000 does not legitimately appear in HTML and especially not in these positions.)

(I marked "covered as automated tests" as "No", since the test hasn't landed, but a test does exist in unlanded form.)
* **String changes made/needed**: None

### ESR Uplift Approval Request
* **If this is not a sec:{high,crit} bug, please state case for ESR consideration**: Simple security patch for a publicly-disclosed bug.
* **User impact if declined**: User could become a victim of XSS on a site that does XSS filtering in a manner that is just on the right side of safe spec-wise but that doesn't use reasonable XSS filtering practices that have more security margin, such as re-serializing the input as parsed by the XSS filter. In other words, the circumstances where bad things don't happen with the patch but do happen without the patch are rather narrow.
* **Fix Landed on Version**: 71
* **Risk to taking this patch**: Low
* **Why is the change risky/not risky? (and alternatives if risky)**: This is relatively unrisky, since the test case in the other patch tests the relevant cases rather well. Also, if this was to regress, it would unlikely be workflow-breaking for users, since this affects rare cases. (U+0000 does not legitimately appear in HTML and especially not in these positions.)
* **String or UUID changes made by this patch**: None
### Beta/Release Uplift Approval Request
* **User impact if declined**: User could become a victim of XSS on a site that does XSS filtering in a manner that is just on the right side of safe spec-wise but that doesn't use reasonable XSS filtering practices that have more security margin, such as re-serializing the input as parsed by the XSS filter. In other words, the circumstances where bad things don't happen with the patch but do happen without the patch are rather narrow.
* **Is this code covered by automated tests?**: No
* **Has the fix been verified in Nightly?**: Yes
* **Needs manual test from QE?**: No
* **If yes, steps to reproduce**: 
* **List of other uplifts needed**: None
* **Risk to taking this patch**: Low
* **Why is the change risky/not risky? (and alternatives if risky)**: This is relatively unrisky, since the test case in the other patch tests the relevant cases rather well. Also, if this was to regress, it would unlikely be workflow-breaking for users, since this affects rare cases. (U+0000 does not legitimately appear in HTML and especially not in these positions.)

(I marked "covered by automated tests" as "No", since the test hasn't landed, but a test does exist in unlanded form.)
* **String changes made/needed**: None

### ESR Uplift Approval Request
* **If this is not a sec:{high,crit} bug, please state case for ESR consideration**: Simple security patch for a publicly-disclosed bug.
* **User impact if declined**: User could become a victim of XSS on a site that does XSS filtering in a manner that is just on the right side of safe spec-wise but that doesn't use reasonable XSS filtering practices that have more security margin, such as re-serializing the input as parsed by the XSS filter. In other words, the circumstances where bad things don't happen with the patch but do happen without the patch are rather narrow.
* **Fix Landed on Version**: 71
* **Risk to taking this patch**: Low
* **Why is the change risky/not risky? (and alternatives if risky)**: This is relatively unrisky, since the test case in the other patch tests the relevant cases rather well. Also, if this was to regress, it would unlikely be workflow-breaking for users, since this affects rare cases. (U+0000 does not legitimately appear in HTML and especially not in these positions.)
* **String or UUID changes made by this patch**: None

Back to Bug 1584216 Comment 14