Closed Bug 1023608 Opened 11 years ago Closed 7 years ago

Custom Label from the user is assigned to Node's L10nID

Categories

(Firefox OS Graveyard :: Gaia::Contacts, defect)

Product:
Firefox OS Graveyard
Component:
Gaia::Contacts
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: zbraniecki, Unassigned)

References

Details

The code in form.js#renderPhones is happily taking any string provided by the user as a custom label name and injecting it as data-l10n-id for a node: https://github.com/mozilla-b2g/gaia/blob/0750f66a0004870773c9a743fa6bdbe124379336/apps/communications/contacts/js/views/details.js#L475-L488 We do not consider l10n entities secure yet and that means that user can fire any entity from contacts.en-US.properties I don't see a clear vector of attack, but it is a minor security issues that should be fixed. One idea on how to fix is that we should have a list of labels that we do localize and set data-l10n-id only for those fields. That could also fix bug 1023606.
Blocks: 1023603
oh, str: 1) Create new contact 2) Use custom tag and name it `separator`, `SelectedTxt` or `import-now`
No longer blocks: 1023603
Blocks: 1023603
Firefox OS is not being worked on
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.