Closed Bug 1177359 Opened 4 years ago Closed 4 years ago

XSS/HTML Injection in Customizer-Launcher


(Firefox OS Graveyard :: Gaia::Customizer, defect)

Gonk (Firefox OS)
Not set



blocking-b2g spark?


(Reporter: freddyb, Assigned: pdahiya)



(Keywords: sec-high, wsec-xss)


(2 files)

(Let's keep the idea that this is a security issue within Bugzilla, until this is resolved)

The customizer uses app and author in its list view without proper HTML escaping. This can lead to XSS and related issues.

I'll follow up with a suggested patch.
I could not figure out how you manage dependencies, so this patch is incomplete.

In essence, I suggest using the Sanitizer library which exists in gaia's shared/sanitizer.js. Usage is explained here:

Punam, can you take this from here on?
Flags: needinfo?(pdahiya)
Assignee: nobody → pdahiya
Flags: needinfo?(pdahiya)
Thanks Frederik for the patch, I will take it to bring in and use shared/sanitizer.js in customizer launcher app.
blocking-b2g: --- → spark?
Any updates?
Flags: needinfo?(pdahiya)
Punam, you can now pull in sanitizer.js using Bower:
Thanks Justin, I will submit the patch using bower in CL
Flags: needinfo?(pdahiya)
Hi Justin

Attaching patch that uses Sanitizer with template strings in CL. Please review. Thanks!
Attachment #8631739 - Flags: review?(jdarcangelo)
Comment on attachment 8631739 [details] [review]
Patch with fix of Bug 1177359

Looks good Punam, thanks! Left some minor nits on the PR.
Attachment #8631739 - Flags: review?(jdarcangelo) → review+
Thanks Justin for review, patch updated with feedback and landed on master
Closed: 4 years ago
Resolution: --- → FIXED
Group: b2g-core-security → core-security
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.