1002534 - Password change disambiguation dialog can show "<>" as a username

Status: RESOLVED FIXED

(Toolkit :: Password Manager, defect, P3)

Description

[Andy McKay]

Nightly version: 31.0a1 (2014-04-21)

Actual:

Upon typing in a new password on yammer.com, I was presented with this dialog:

https://www.dropbox.com/s/4rj3uwdlosrvkv8/Screenshot%202014-04-28%2009.15.11.png

I'm not sure who the user <> is. I do have a habit of typing in usernames with <script> tags in them to try and test XSS in sites, so I'm wondering thats the cause.

Expected:

I think that user is normally something like "Andrew <script>alert()</alert>", I would expect that to appear, if thats the cause.

Comment 1

[Matthew N. [:MattN]]

Interesting, I'm not sure I've seen that dialog before and I'm not sure how to quickly reproduce that case. The code is https://mxr.mozilla.org/mozilla-central/source/toolkit/components/passwordmgr/nsLoginManagerPrompter.js?rev=b12a19b0e500#1099 in case someone else wants to investigate.

Comment 2

[Matthew N. [:MattN]]

This comes from the prompt service "select" UI implementation: https://searchfox.org/mozilla-central/rev/152993fa346c8fd9296e4cd6622234a664f53341/toolkit/components/prompts/content/selectDialog.js#33-34

At https://dxr.mozilla.org/mozilla-central/rev/b12a19b0e500/toolkit/components/passwordmgr/nsLoginManagerPrompter.js#1115 change

logins.map(function (l) l.username);

to

logins.map(l => l.username || this._getLocalizedString("noUsername"))

Use STR from bug 551948 comment 0 along with the test page in attachment 8546945 [details].

Comment 3

[Manish [:manishkk]]

Attachment: Bug 1002534- Password change disambiguation dialog can show <> as a username

Comment 4

[Pulsebot]

Pushed by mozilla@noorenberghe.ca:
https://hg.mozilla.org/integration/autoland/rev/b8d6fa47d095
Password change disambiguation dialog can show <> as a username r=MattN

Comment 5

[Oana Pop-Rus]

https://hg.mozilla.org/mozilla-central/rev/b8d6fa47d095