Closed
Bug 1140798
Opened 9 years ago
Closed 9 years ago
Possible client side code injection in "suggested reviewers" menu.
Categories
(bugzilla.mozilla.org :: Extensions, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: arai, Assigned: arai)
Details
Attachments
(1 file)
/extensions/Review/web/js/review.js line 150
> items.push({
> name: user.identity + ' (' + queue + ')',
here, `name` property is parsed as HTML, but it's not escaped.
Currently mail address is braced with <>, and it's treated as HTML tag, so it's not shown there literally, and queue count is inside that element.
Reviewers and mentors might be able to inject any HTML via their name (login field), not yet confirmed though.
|
Assignee | |
Comment 1•9 years ago
|
||
It's already fixed in upstream jQuery-contextMenu on 13 Sep 2014, but seems not yet released, latest 1.6.6 was released on 12 Jul 2014 :/ https://github.com/medialize/jQuery-contextMenu/commit/f3137f21e17d3f91dad6f913eb3a0e93ada35b8a
|
|
Assignee | |
Comment 2•9 years ago
|
||
This could be the simplest solution, but not sure it's the best solution... There are many changesets from last release, so, if trunk is stable enough, just using trunk might be better.
Attachment #8574359 -
Flags: review?(dkl)
|
||
Comment 3•9 years ago
|
||
Comment on attachment 8574359 [details] [diff] [review] backport changeset f3137f21e17d3f91dad6f913eb3a0e93ada35b8a of jQuery-contextMenu Review of attachment 8574359 [details] [diff] [review]: ----------------------------------------------------------------- r=dkl. Thanks for the patch!
Attachment #8574359 -
Flags: review?(dkl) → review+
|
|
||
Comment 5•9 years ago
|
||
To ssh://gitolite3@git.mozilla.org/webtools/bmo/bugzilla.git 0d3b1ca..b199f49 master -> master
Assignee: nobody → arai.unmht
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
|
||
Updated•5 years ago
|
Component: Extensions: Review → Extensions
You need to log in
before you can comment on or make changes to this bug.
Description
•