Closed Bug 1177359 Opened 4 years ago Closed 4 years ago

XSS/HTML Injection in Customizer-Launcher

Categories

(Firefox OS Graveyard :: Gaia::Customizer, defect)

ARM
Gonk (Firefox OS)
defect
Not set

Tracking

(blocking-b2g:spark?)

RESOLVED FIXED
blocking-b2g spark?

People

(Reporter: freddyb, Assigned: pdahiya)

References

Details

(Keywords: sec-high, wsec-xss)

Attachments

(2 files)

(Let's keep the idea that this is a security issue within Bugzilla, until this is resolved)

The customizer uses app and author in its list view without proper HTML escaping. This can lead to XSS and related issues.

I'll follow up with a suggested patch.
I could not figure out how you manage dependencies, so this patch is incomplete.

In essence, I suggest using the Sanitizer library which exists in gaia's shared/sanitizer.js. Usage is explained here: https://developer.mozilla.org/en-US/Firefox_OS/Security/Security_Automation

Punam, can you take this from here on?
Flags: needinfo?(pdahiya)
Assignee: nobody → pdahiya
Flags: needinfo?(pdahiya)
Thanks Frederik for the patch, I will take it to bring in and use shared/sanitizer.js in customizer launcher app.
blocking-b2g: --- → spark?
Any updates?
Flags: needinfo?(pdahiya)
Punam, you can now pull in sanitizer.js using Bower: https://github.com/fxos-eng/sanitizer
Thanks Justin, I will submit the patch using bower https://github.com/fxos-eng/sanitizer in CL
Flags: needinfo?(pdahiya)
Hi Justin

Attaching patch that uses Sanitizer with template strings in CL. Please review. Thanks!
Attachment #8631739 - Flags: review?(jdarcangelo)
Comment on attachment 8631739 [details] [review]
Patch with fix of Bug 1177359

Looks good Punam, thanks! Left some minor nits on the PR.
Attachment #8631739 - Flags: review?(jdarcangelo) → review+
Thanks Justin for review, patch updated with feedback and landed on master

https://github.com/fxos/customizer-launcher/commit/2abd6b35ad07df55bc9a8683796ac03e8ec0d2d4
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Group: b2g-core-security → core-security
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.