Closed
Bug 1498566
Opened 6 years ago
Closed 5 years ago
Remove new Function from dialog.xml
Categories
(Core :: DOM: Security, enhancement, P3)
Core
DOM: Security
Tracking
()
RESOLVED
FIXED
mozilla68
| Tracking | Status | |
|---|---|---|
| firefox68 | --- | fixed |
People
(Reporter: vinoth, Assigned: jallmann)
References
(Blocks 1 open bug)
Details
(Keywords: dev-doc-complete, Whiteboard: [domsecurity-backlog1])
Attachments
(2 files)
Eval(), new Function() should never execute with system principal.It is being removed everywhere from our codebase as part of Bug 1473549. The affected code which should be rewritten, https://dxr.mozilla.org/mozilla-central/rev/c291143e24019097d087f9307e59b49facaf90cb/toolkit/content/widgets/dialog.xml#418
|
Reporter | |
Updated•6 years ago
|
Component: XUL Widgets → DOM: Security
Product: Toolkit → Core
|
||
Updated•6 years ago
|
Whiteboard: [domsecurity-backlog1]
|
|
Reporter | |
Updated•6 years ago
|
Assignee: nobody → cegvinoth
Status: NEW → ASSIGNED
|
|
Reporter | |
Comment 1•6 years ago
|
||
|
|
Reporter | |
Comment 2•5 years ago
|
||
In order to clarify the things I will summarize the changes required for this bug, In order to remove the usage of new Function from dialog.xml[1], we need to remove the usage of attributes[2] ondialogaccept, ondialogcancel, ondialogdisclosure, ondialogextra1, ondialogextra2 and ondialoghelp from all the places within our codebase. Please correct me if I got something wrong about this approach. [1] - https://dxr.mozilla.org/mozilla-central/rev/c291143e24019097d087f9307e59b49facaf90cb/toolkit/content/widgets/dialog.xml#418 [2] - https://developer.mozilla.org/en-US/docs/Mozilla/Tech/XUL/dialog#Attributes
Flags: needinfo?(gijskruitbosch+bugs)
|
||
Comment 3•5 years ago
|
||
(In reply to Vinothkumar Nagasayanan [:vinoth] from comment #2) > In order to clarify the things I will summarize the changes required for > this bug, > > In order to remove the usage of new Function from dialog.xml[1], we need to > remove the usage of attributes[2] ondialogaccept, ondialogcancel, > ondialogdisclosure, ondialogextra1, ondialogextra2 and ondialoghelp from all > the places within our codebase. Please correct me if I got something wrong > about this approach. Yep, this seems fine; we'll need to use custom events to do the same thing that the attributes do today.
Flags: needinfo?(gijskruitbosch+bugs)
|
|
Reporter | |
Updated•5 years ago
|
Assignee: cegvinoth → nobody
Status: ASSIGNED → NEW
|
Assignee | |
Updated•5 years ago
|
Assignee: nobody → jallmann
|
|
Assignee | |
Updated•5 years ago
|
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 4•5 years ago
|
||
Remove the now obsolete event handling code including new Funcition. Remove dialog.xml from eval() whitelist.
|
|
Assignee | |
Updated•5 years ago
|
Keywords: checkin-needed
|
|
Assignee | |
Comment 5•5 years ago
|
||
Dev-Docs for the dialog XUL-Element need to be updated as a result of this bug.
https://developer.mozilla.org/en-US/docs/Mozilla/Tech/XUL/dialog#Attributes
The attributes ondialogaccept, ondialogcancel, ondialogdisclosure, ondialogextra1, ondialogextra2, ondialoghelp won't be supported anymore and should be removed from the docs. Using JS-eventHandlers is recommended instead.
Keywords: dev-doc-needed
Pushed by dluca@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/4c124c1db332
Remove custom event handling code from dialog.xml, r=Gijs
Keywords: checkin-needed
|
||
Comment 7•5 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox68:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla68
|
||
Comment 8•5 years ago
|
||
attributes removed from docs as instructed.
Keywords: dev-doc-needed → dev-doc-complete
You need to log in
before you can comment on or make changes to this bug.
Description
•