1714648 - Copy to Clipboard links results in an empty event handler firing. (Sometimes)

Status: NEW

(Firefox :: Downloads Panel, enhancement)

Description

[Tom Ritter [:tjr]]

One of the things we're trying to do in Bug 1562221 is eliminate all the cases where random Javascript (i.e. not a defined function in a chrome:// or resource:// file) gets run. Once those cases are eliminated; we can enforce restrictions that ensure an attacker can't (or at least is very hampered in the attempt to) run arbitrary JS in the parent. (This has been an attack vector for sandbox escapes.)

If you run with MOZ_LOG="CSMLog:3" and search for ValidateScriptFilename (or break here in the parent) you should see us run some offending JS.

By moving up the callstack to FunctionCompiler::finish I could get the following:

(gdb) print newSrcBuf->units_
$19 = 0x7fff8d56f7c0 u"function oncommand(event) {\n;\n}\005"

So it's an empty event handler that I can't quite figure out where or why it comes from. I tried debugging with the Browser Toolbox; but the only event handle attached to the menu item is the default click handler.

So I'm not sure where this is coming from or how to prevent it. If anyone more familiar with debugging browser-side might be able to provide some thoughts I'd appreciate it.