Calling Document.parseHTMLUnsafe() in a browser extension content script crashes the tab
Categories
(WebExtensions :: General, defect, P2)
Tracking
(firefox129 unaffected, firefox130 affected, firefox131 affected, firefox150 verified)
| Tracking | Status | |
|---|---|---|
| firefox129 | --- | unaffected |
| firefox130 | --- | affected |
| firefox131 | --- | affected |
| firefox150 | --- | verified |
People
(Reporter: czerny.jakub, Assigned: robwu)
References
Details
(Whiteboard: [addons-jira])
Attachments
(3 files)
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
Steps to reproduce:
Use Document.parseHTMLUnsafe() in a content script of a Firefox browser extension.
Steps to reproduce:
- load the
extension.zipbrowser extension attached as a temporary extension (about:debugging#/runtime/this-firefox) - open any regular page, e.g. https://developer.mozilla.org
- select "Crush tab" from the context menu
Actual results:
"Gah. Your tab just crashed." crushed tab form is shown.
Console dump of the Browser Toolbox is attached.
Expected results:
The tab shouldn't crush
|
Reporter | |
Comment 1•1 year ago
|
||
Browser toolbox console dump
|
||
Comment 2•1 year ago
|
||
The Bugbug bot thinks this bug should belong to the 'WebExtensions::Untriaged' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
|
||
Comment 3•1 year ago
|
||
Hello,
I reproduced the issue on the latest Nightly (131.0a1/20240811212519) and Beta (130.0b3/20240809091641) under Windows 10 x64 and Ubuntu 22.04 LTS. The issue does NOT reproduce on the latest Release (129.0/20240801122119).
Since Release 129 does not seem to be affected by the issue, I performed a mozregression but did not find a regressor. All the tested builds (from 128 to 130) were bad.
|
||
Comment 4•1 year ago
|
||
|
||
Updated•1 year ago
|
|
|
||
Comment 5•1 year ago
|
||
The severity field is not set for this bug.
:zombie, could you have a look please?
For more information, please visit BugBot documentation.
|
Assignee | |
Updated•1 year ago
|
|
|
Assignee | |
Updated•1 year ago
|
|
||
Updated•1 year ago
|
|
||
Comment 6•1 year ago
|
||
I'm linking the eslint no-unsanitized pugin PR to also have linting warnings on usage of the Document.parseHTMLUnsafe static method:
|
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
||
Comment 7•11 days ago
|
||
Hi, there has recently been a spike in crashes related to this issue (see bug 1937488). The patch on this bug appears to be the correct solution; what all would need to be done in order to get it landed? I'm willing to take it over if needed.
|
|
Assignee | |
Comment 8•10 days ago
|
||
I have updated the patch, it is ready for review. Thanks for flagging the other bug.
I'm going to mark this as a blocker to bug 1937488 instead of "See also" because I expect the fix here to resolve the crashes in bug 1937488.
|
|
||
Updated•5 days ago
|
|
||
Comment 10•5 days ago
|
||
| bugherder | ||
|
|
||
Comment 11•4 days ago
|
||
Verified as Fixed. Tested on the latest Nightly (150.0a1/20260305002319) under Windows 11 and Ubuntu 24.10.
Using the extension and STR from Comment 0, the tab no longer crashes.
Description
•