Closed
Bug 1177359
Opened 9 years ago
Closed 9 years ago
XSS/HTML Injection in Customizer-Launcher
Categories
(Firefox OS Graveyard :: Gaia::Customizer, defect)
Tracking
(blocking-b2g:spark?)
RESOLVED
FIXED
blocking-b2g | spark? |
People
(Reporter: freddy, Assigned: pdahiya)
References
Details
(Keywords: sec-high, wsec-xss)
Attachments
(2 files)
(Let's keep the idea that this is a security issue within Bugzilla, until this is resolved) The customizer uses app and author in its list view without proper HTML escaping. This can lead to XSS and related issues. I'll follow up with a suggested patch.
Reporter | ||
Comment 1•9 years ago
|
||
I could not figure out how you manage dependencies, so this patch is incomplete. In essence, I suggest using the Sanitizer library which exists in gaia's shared/sanitizer.js. Usage is explained here: https://developer.mozilla.org/en-US/Firefox_OS/Security/Security_Automation Punam, can you take this from here on?
Flags: needinfo?(pdahiya)
Assignee | ||
Updated•9 years ago
|
Assignee: nobody → pdahiya
Flags: needinfo?(pdahiya)
Assignee | ||
Comment 2•9 years ago
|
||
Thanks Frederik for the patch, I will take it to bring in and use shared/sanitizer.js in customizer launcher app.
Reporter | ||
Updated•9 years ago
|
blocking-b2g: --- → spark?
Comment 4•9 years ago
|
||
Punam, you can now pull in sanitizer.js using Bower: https://github.com/fxos-eng/sanitizer
Assignee | ||
Comment 5•9 years ago
|
||
Thanks Justin, I will submit the patch using bower https://github.com/fxos-eng/sanitizer in CL
Flags: needinfo?(pdahiya)
Assignee | ||
Comment 6•9 years ago
|
||
Hi Justin Attaching patch that uses Sanitizer with template strings in CL. Please review. Thanks!
Attachment #8631739 -
Flags: review?(jdarcangelo)
Comment 7•9 years ago
|
||
Comment on attachment 8631739 [details] [review] Patch with fix of Bug 1177359 Looks good Punam, thanks! Left some minor nits on the PR.
Attachment #8631739 -
Flags: review?(jdarcangelo) → review+
Assignee | ||
Comment 8•9 years ago
|
||
Thanks Justin for review, patch updated with feedback and landed on master https://github.com/fxos/customizer-launcher/commit/2abd6b35ad07df55bc9a8683796ac03e8ec0d2d4
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Updated•9 years ago
|
Group: b2g-core-security → core-security
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•