Closed Bug 1590616 Opened 6 years ago Closed 6 years ago

xss bug command

Categories

(www.mozilla.org :: General, defect)

Product:
www.mozilla.org
Component:
General
Version:
Production
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: u635660, Unassigned, NeedInfo)

Details

(Keywords: reporter-external)

Attachments

(1 file)

firefox 2.PNG
574.49 KB, image/png
Details
Attached image firefox 2.PNG

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0

Steps to reproduce:

1.open firefox
2.search mozilla.org
3.go to google chrome console
4.type this command: javascript:/--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[/[]/+alert(1)//'>

Actual results:

it did a xss alert pop up box.

Expected results:

it should not do a xss alert.

3.open Firefox console *

Hi planetman1125, thanks for the report!

I'm getting a SyntaxError: invalid regular expression flag t on https://www.mozilla.org/en-US/ on latest Firefox Nightly and Release though I see you're on Firefox 70, which might still be affected.

Are you suggesting users and web developers should not be able to alert from the browser console?

Also it might be worth noting that self-xss is excluded from the bug bounty https://www.mozilla.org/en-US/security/web-bug-bounty/#eligibility

Flags: needinfo?(planetman1125)

This is not a bug, as it essentially applies to every browser and every website ever created. It's not even really a self-XSS, it's simply telling your browser to execute JavaScript.

Group: websites-security
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Flags: sec-bounty-hof-
Flags: sec-bounty-
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: