1224425 - HTML injection with the page title in reader view

Status: NEW

(Firefox for iOS :: Reader View, defect)

Description

[Muneaki Nishimura]

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36

Steps to reproduce:

1. Open the following Google search result
https://www.google.co.jp/search?q=%3Ch1%3E%3Cs%3E%3Ca+href%3Dhttps%3A%2F%2Fmallory.csrf.jp%3A8020%3EXSS%3C%2Fa%3E%3C%2Fs%3E%3C%2Fh1%3E&oq=%3Ch1%3E%3Cs%3E%3Ca+href%3Dhttps%3A%2F%2Fmallory.csrf.jp%3A8020%3EXSS%3C%2Fa%3E%3C%2Fs%3E%3C%2Fh1%3E
2. Open the  page by reader view


Actual results:

HTML tags in the page title "<h1><s><a href=https://mallory.csrf.jp:8020>XSS</a></s></h1>" is parsed as HTML in reader view.



Expected results:

The page title should be shown as plain text.

Fortunately the reader view is protected by strong CSP (below).
https://github.com/mozilla/firefox-ios/blob/master/Client/Frontend/Reader/ReaderModeHandlers.swift#L45
So I think its risk is not so high since nasty attacks such as XSS and iframe injection are blocked.

Comment 1

[Daniel Veditz [:dveditz]]

Not sure if the iOS version is part of the bounty program but nominating all the same

Comment 2

[Al Billings [:abillings - ex-MoCo]]

Minusing this as a "low" rated security issue. If you can elevate this to a stronger exploit, we can re-examine this. Also, you may wish to see if this is present on Firefox for Android.

Comment 3

[Muneaki Nishimura]

This ticket has passed 2 years since I reported. This is still unfixed but the risk is rated as low.
Could you unhidden the ticket if no risk would be exposed?