Closed Bug 1206388 Opened 5 years ago Closed 5 years ago

Location Bar allows character escaping and shows raw JSON in autocomplete pop-up

Categories

(Firefox :: Address Bar, defect, P3)

x86_64
Windows 10
defect

Tracking

()

RESOLVED DUPLICATE of bug 1233672
Tracking Status
firefox42 --- ?
firefox43 --- affected

People

(Reporter: rctgamer3, Unassigned)

Details

(Whiteboard: [unifiedcomplete][fxsearch])

Attachments

(1 file)

Found this while accidentally entering wrong slashes in the location bar. Nightly 43.0a1, build 2015-09-18.

STR:
1) type http://foo.bar/\"123" into the location bar by hand so the autocomplete pop-up shows.
2) Raw JSON is visible in the autocomplete pop-up: Visit {"url":"http://foo.bar/\"123""."input":"http://foo.bar/\\\"123\""}
Not sure if this allows for some kind of vulnerability but this shouldn't happen either way.
Priority: -- → P3
Whiteboard: [unifiedcomplete][fxsearch]
Yep, I filed some bugs about JSON in urlbar, e.g. bug 1187653 (somehow lower priority) has the same STR
But, is this bug about not showing JSON at all? Showing only "url" of that object would be a great partially solution until all these edge cases will be properly resolved (if ever).
Rank: 35
Bump. Since Firefox 43 is the current release version, this bug made it into release.
Drew is looking into bug 1233672 that may end up solving this one too.
I don't think this is critical, but we should try to fix it soon.
Depends on: 1233672
Severity: normal → major
Status: NEW → RESOLVED
Closed: 5 years ago
No longer depends on: 1233672
Resolution: --- → DUPLICATE
Duplicate of bug: 1233672
You need to log in before you can comment on or make changes to this bug.