Closed Bug 180757 Opened 22 years ago Closed 12 years ago

XUL elements have lots of attributes that probably need but doen't have CheckLoadURI() calls, like databaseURI, datasourceURI etc.

Categories

(Core :: XUL, defect)

Product:
Core
Component:
XUL
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME
Milestone:
mozilla1.4final

People

(Reporter: bsharma, Unassigned)

Details

(Whiteboard: [adt2][sg:investigation]) 

This bug is reported as the issue in the module review and jrgm asked me to make
a bug out of it.
Whiteboard: [sg:investigation]
Search, and limit loading to same host.
Keywords: nsbeta1
Target Milestone: --- → mozilla1.4beta
Nav triage team: nsbeta1+/adt2
Keywords: nsbeta1nsbeta1+
Whiteboard: [sg:investigation] → [adt2][sg:investigation]
Chris will try to get this for 1.4final, reassigning.
Assignee: jaggernaut → caillon
Target Milestone: mozilla1.4beta → mozilla1.4final
<xul:image src="file://foo"/> from remote xul seems to work.  (same if you use a
chrome: uri)
xul:image we are not very concerned about at this point, unless it can cause bad
side effects. The reason is that HTML img and input src has no checks either and
these are public bugs. A thing to fix, but no need to be security sensitive.

So any side effects, like if you use data or JS url or the file is not image
(like if it is plugin or JS or something)? Anything else?
Assignee: caillon → hyatt
Component: XP Toolkit/Widgets: XUL → XUL
QA Contact: shrir → xptoolkit.widgets
Assignee: hyatt → nobody
Content XUL is gone.
Group: core-security
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.