Closed Bug 1291797 Opened 9 years ago Closed 9 years ago

HTML in comments is not escaped

Categories

(Webtools Graveyard :: Pontoon, defect)

Product:
Webtools Graveyard
Component:
Pontoon
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: mstanke, Unassigned)

References

(
URL
)

Details

Some comments might contain HTML tags and these tags are currently not being escaped, or does not seem to be. There is at least one l10n entity with HTML tag in comment, and that is https://pontoon.mozilla.org/cs/firefox-aurora/dom/chrome/layout/HtmlForm.properties/?string=70080, the unescaped comment is here https://pontoon.mozilla.org/cs/firefox-aurora/dom/chrome/layout/HtmlForm.properties/?string=70080 If the HTML entities are not escaped there at all, it can cause some security issues just by editing the source file. Or at least break the page and Pontoon UI.
Thanks for reporting! We actually did escape comments, *unless* they contained links. Fixed: https://github.com/mozilla/pontoon/commit/783c6a2ddfe35e0e8b59044cab9fd579a62dba22
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Good, works now. If this is deployed everywhere, what are the policies to unmark this bug as security, so it's publicly accessible? I think no bugs should stay hidden after resolved.
Status: RESOLVED → VERIFIED
Agreed, unhiding.
Group: webtools-security
Product: Webtools → Webtools Graveyard
You need to log in before you can comment on or make changes to this bug.