Closed Bug 1159137 Opened 6 years ago Closed 6 years ago
[Stingray][Smart-System] XSS/HTML injection in value picker
Same issue in Bug 1158715. According to following link https://github.com/mozilla-b2g/gaia/blob/master/tv_apps/smart-system/js/value_selector/value_picker.js#L137, where variable _valueDisplayedText may be any characters coming from user data, it also has potential XSS injection vulnerability
1. Replace innerHTML with textContent in value picker.
Attachment #8599650 - Flags: review?(im)
Comment on attachment 8599650 [details] [review] Pull Request Looks good to me.
Attachment #8599650 - Flags: review?(im) → review+
Why are we still patching security files in the tv-system app that have been ported to system?
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → 2.2 S11 (1may)
(In reply to Kevin Grandon :kgrandon from comment #3) > Why are we still patching security files in the tv-system app that have been > ported to system? We still need to do it for partner.
Whiteboard: stingray-picked(2015/5/19) → stingray-picked(2015/5/19) [b2g-adv-main2.2-]
You need to log in before you can comment on or make changes to this bug.