Closed Bug 1429022 Opened 6 years ago Closed 6 years ago

Firefox 57.0.4 and Firefox Developer Edition 58.0.b14 could run malicious code through a website search query

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Version:
58 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 528661

People

(Reporter: pljcbsn, Unassigned)

Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:58.0) Gecko/20100101 Firefox/58.0
Build ID: 20180103230655

Steps to reproduce:

I'm working through a WordPress development course that focuses on a fictional university website. At one point in the course, the instructor demonstrates how a particular PHP function ("get_search_query()") protects users from attempts to run malicious JavaScript code.

Ordinarily this function escapes code and converts it into plain text. For the purposes of the exercise, we disabled this protection by passing a "false" argument to this function.


Actual results:

Chrome blocks the code nevertheless (see here: https://jacobson-cloud.s3.amazonaws.com/Shared%20media/Banners_and_Alerts_and_localhost.png)

Firefox and Firefox Developer Edition, on the other hand, will run this malicious code. Here is an example: https://jacobson-cloud.s3.amazonaws.com/Shared%20media/Firefox_running_JS_in_search.mp4

I have enabled "Block dangerous and deceptive content" in my Preferences. It has no effect. The browser still runs this code.


Expected results:

Firefox should prevent this code from running and, instead, warn users that this could be an attempt to run malicious code and require a user override to continue.
Component: Untriaged → Security
Product: Firefox → Core
This seems to be a request to implement an XSS filter in Firefox. We've already investigated doing so and decided not to.
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.