Closed Bug 1177359 Opened 4 years ago Closed 4 years ago
XSS/HTML Injection in Customizer-Launcher
(Let's keep the idea that this is a security issue within Bugzilla, until this is resolved) The customizer uses app and author in its list view without proper HTML escaping. This can lead to XSS and related issues. I'll follow up with a suggested patch.
I could not figure out how you manage dependencies, so this patch is incomplete. In essence, I suggest using the Sanitizer library which exists in gaia's shared/sanitizer.js. Usage is explained here: https://developer.mozilla.org/en-US/Firefox_OS/Security/Security_Automation Punam, can you take this from here on?
Assignee: nobody → pdahiya
Thanks Frederik for the patch, I will take it to bring in and use shared/sanitizer.js in customizer launcher app.
Punam, you can now pull in sanitizer.js using Bower: https://github.com/fxos-eng/sanitizer
Thanks Justin, I will submit the patch using bower https://github.com/fxos-eng/sanitizer in CL
Hi Justin Attaching patch that uses Sanitizer with template strings in CL. Please review. Thanks!
Attachment #8631739 - Flags: review?(jdarcangelo)
Comment on attachment 8631739 [details] [review] Patch with fix of Bug 1177359 Looks good Punam, thanks! Left some minor nits on the PR.
Attachment #8631739 - Flags: review?(jdarcangelo) → review+
Thanks Justin for review, patch updated with feedback and landed on master https://github.com/fxos/customizer-launcher/commit/2abd6b35ad07df55bc9a8683796ac03e8ec0d2d4
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.