Open
Bug 1763520
Opened 3 years ago
Updated 2 years ago
Add new attribute for callbacks to mark them "can-run-script"
Categories
(Developer Infrastructure :: Source Code Analysis, enhancement, P3)
Developer Infrastructure
Source Code Analysis
Tracking
(Not tracked)
NEW
People
(Reporter: masayuki, Unassigned)
References
Details
I realized that there is no check to call callbacks which may run script. For example,
HTMLEditor::CreateAndInsertElement calls aInitializer which may run script. However, you can change this call:
rv = aInitializer(*this, *newElement, aPointToInsert);
to:
HTMLEditor* self = this;
rv = aInitializer(*self, *newElement, aPointToInsert);
I think that the argument should be able to marked as "can-run-script" or should assume that any callbacks of MOZ_CAN_RUN_SCRIPT methods are dangerous. And "can-run-script" lambdas should be acceptable by "can-run-script" methods.
|
||
Comment 1•3 years ago
|
||
The severity field is not set for this bug.
:andi, could you have a look please?
For more information, please visit auto_nag documentation.
Flags: needinfo?(bpostelnicu)
|
||
Updated•3 years ago
|
Severity: -- → N/A
Type: defect → enhancement
Flags: needinfo?(bpostelnicu)
Priority: -- → P3
|
||
Updated•2 years ago
|
Product: Firefox Build System → Developer Infrastructure
You need to log in
before you can comment on or make changes to this bug.
Description
•