14981 - [Feature] Javascript can execute in any file regardless of extension

Status: VERIFIED DUPLICATE of bug 55731

(Core :: Networking, defect, P3)

Description

[Stephen P. Morse]

Create a file with the following content

   <SCRIPT>alert('Oops')</SCRIPT>

and name it abc.xyz.  Open that file in the 5.0 browser and the javascript will
execute.  This should not happen -- only files with certain extensions such as
.html should be capable of executing javascript.

This bug can be used as the basis of a security attack (see bug 9419)

Comment 1

[Gagan]

steve why do you think this is Necko?

Comment 2

[Gagan]

BTW extensions should not control javascript execution.

Comment 3

[Stephen P. Morse]

Assigning to Norris so that he can find the real owner of this bug.

Comment 4

[leger]

Bulk move of all Necko (to be deleted component) bugs to new Networking

component.

Comment 5

[Stephen P. Morse]

Norris, why did you add "[FEATURE]" to the summary line.  I wasn't asking for a
feature here, rather I was asking to close what could be a security hole.  In
4.x you couldn't execute javascript in any file but rather only in ones with
certain extensions.  That's why I reported this as a bug, not a feature request.

Comment 6

[Stephen P. Morse]

Hey, guess what!  This bug is no more.  I just tested it out and now it works
fine.  Here I've had bug 9419 blocked by this and didn't realize that it was
working fine.

Closing it out as works-for-me.

Comment 7

[Joseph Elwell]

This is working for me too. I created a .txt file with the alert and it was not
executed. [bugday]marking verified. worksforme on winNT build 2000022908.

Comment 8

[Stephen P. Morse]

Turns out this bug wasn't fixed after all.  See bug 55731.  Reopening and 
duping.

Comment 9

[Stephen P. Morse]

*** This bug has been marked as a duplicate of 55731 ***

Comment 10

[John Unruh]

Verified dupe.