Closed Bug 1498569 Opened 6 years ago Closed 6 years ago

Remove new Function from wizard.xml

Categories

(Core :: DOM: Security, enhancement, P3)

Product:
Core
Component:
DOM: Security
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla68
Tracking Flags:
Tracking Status
firefox68 --- fixed

People

(Reporter: vinoth, Assigned: jallmann)

References

(Blocks 1 open bug)

Details

(Keywords: dev-doc-complete, Whiteboard: [domsecurity-backlog1])

Attachments

(2 files)

Bug 1498569 - Replaced new Function in wizard.xml using loadsubscript
47 bytes, text/x-phabricator-request
Details | Review
Bug 1498569, Replace wizard.xml attributes with event listeners, r=gijs
47 bytes, text/x-phabricator-request
Details | Review
Eval(), new Function() should never execute with system principal.It is being removed everywhere from our codebase as part of Bug 1473549. The affected code which should be rewritten, https://dxr.mozilla.org/mozilla-central/rev/c291143e24019097d087f9307e59b49facaf90cb/toolkit/content/widgets/wizard.xml#422
Component: General → DOM: Security
Product: Toolkit → Core
Whiteboard: [domsecurity-backlog1]
Assignee: nobody → cegvinoth
Status: NEW → ASSIGNED
Assignee: cegvinoth → nobody
Status: ASSIGNED → NEW

I have a question that also applies to Bug 1498566.
After replacing all onwizard*-attributes in the codebase by proper event handlers, can I just remove this block of code

https://searchfox.org/mozilla-central/source/toolkit/content/widgets/wizard.xml#419

entirely without replacement? And if yes, am I right that this documentation

https://developer.mozilla.org/en-US/docs/Mozilla/Tech/XUL/wizard

would have to be adapted, because the attributes wont work anymore?

Flags: needinfo?(gijskruitbosch+bugs)

(In reply to Jonas Allmann [:jallmann] from comment #2)

I have a question that also applies to Bug 1498566.
After replacing all onwizard*-attributes in the codebase by proper event handlers, can I just remove this block of code

https://searchfox.org/mozilla-central/source/toolkit/content/widgets/wizard.xml#419

entirely without replacement? And if yes, am I right that this documentation

https://developer.mozilla.org/en-US/docs/Mozilla/Tech/XUL/wizard

would have to be adapted, because the attributes wont work anymore?

Yes for both of these. :-)

Flags: needinfo?(gijskruitbosch+bugs)
Assignee: nobody → jallmann
  • Removed all occurences of custom onwizard* attributes.
  • Removed custom handler code from wizard.xml.
  • Updated eval()-usage whitelist.
Status: NEW → ASSIGNED

Dev-docs need to be updated as a consequence of this Bug.

https://developer.mozilla.org/en-US/docs/Mozilla/Tech/XUL/wizard

The attributes onextra1, onextra2, onwizardback, onwizardcancel, onwizardfinish, onwizardnext for the XUL-Element wizard are no longer supported. Using custom event handlers in the script code is recommended instead.

https://developer.mozilla.org/en-US/docs/Mozilla/Tech/XUL/wizardpage

The attributes onpageadvanced, onpagehide, onpagerewound, onpageshow for the wizardpage Element are no longer supported either.

Keywords: dev-doc-needed

This Bug is ready to land, could you do that for me, ckerschb?

Flags: needinfo?(ckerschb)

I've triggered lando for you. In future, you can also set the 'checkin-needed' keyword on the bug.

Flags: needinfo?(ckerschb)
Pushed by gijskruitbosch@gmail.com: https://hg.mozilla.org/integration/autoland/rev/156372e0b165 Replace wizard.xml attributes with event listeners, r=Gijs

https://hg.mozilla.org/mozilla-central/rev/156372e0b165

Status: ASSIGNED → RESOLVED
Closed: 6 years ago
status-firefox68: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla68
Depends on: 1541136
Regressions: 1542844
No longer regressions: 1542844

docs deleted as requested

Keywords: dev-doc-neededdev-doc-complete
Regressions: 1544277
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: