1563127 - Strings (and potentially whole page) fail to render due to invalid JSON from highlights title with quotes

Status: VERIFIED FIXED

(Firefox :: New Tab Page, defect, P1)

Description

[Ed Lee :Mardak]

The JSON for data-l10n-args created manually is incorrect:

<button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{ &quot;title&quot;: &quot;Resolving Error: &quot;Objects are not valid as a React child&quot;&quot; }" class="context-menu-button icon"></button>

Here's the js string value:

{ "title": "Resolving Error: "Objects are not valid as a React child"" }

This particular string injection came from

data-l10n-args={`{ "title": "${title}" }`}

https://github.com/mozilla/activity-stream/blob/1effc63a887147b3ef374945c05b830abbb60a1b/content-src/components/Card/Card.jsx#L249

We should make sure we don't allow string injection and make sure to just call stringify. And fix up all places where we do something similar.

Comment 1

[GitHub Bugzilla PR Linker]

Attachment: Link to GitHub pull-request: https://github.com/mozilla/activity-stream/pull/5149

Comment 2

[Ed Lee :Mardak]

This can be tested by creating a bookmark with double quotes in the title

Comment 3

[Ed Lee :Mardak]

https://hg.mozilla.org/mozilla-central/rev/fe000c5de938

Comment 4

[Marius Coman [:mcoman], Ecosystem QA]

I have verified that this issue is no longer reproducible with the latest Firefox Nightly (69.0a1 Build ID - 20190705064618) installed, on Windows 10 x64, Arch Linux and Mac 10.14.5. Now, the strings from the bookmarks highlights that are containing double quotes in the title are successfully rendered.