Closed Bug 270302 Opened 20 years ago Closed 18 years ago

Profiler HTML output formatter is unsafe

Categories

(Other Applications Graveyard :: Venkman JS Debugger, defect)

Product:
Other Applications Graveyard
Component:
Venkman JS Debugger
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: timeless, Assigned: bugzilla-mozilla-20000923)

References

(
URL
)

Details

Attachments

(2 files, 1 obsolete file)

generated profile
150.16 KB, text/html
Details
Quote and escape CSV
2.23 KB, patch
rginda
: review+
Details | Diff | Splinter Review 
steps:
1. open venkman
2. profile>collect profiling data
3. load url from bug
4. profile>collect profiling data
5. profile>save profile data as...
6. name the file generated.html and select html as your output format.
7. load the html file (i'll attach the generated file to this bug)

expected results: profile should be xss free

actual results: boo
Attached file generated profile 
Product: Core → Other Applications

    
  
Assignee: rginda → silver
Status: UNCONFIRMED → NEW
Ever confirmed: true

    
  
Status: NEW → ASSIGNED

    
  
OS: Windows XP → All
Hardware: PC → All

    
    

    
  


  
This adds escaping of <, >, &, " and ' to the HTML and XML output. I've not tried to figure out what/how you escape in CVS. I needed to add __url__ (or some other known dummy property) to the report template so that the code could check what kind of report it was going to generate. Thinking about it, I could probably have used the file parameter instead, but I think knowing the template is better.

        Attachment #221116 -
        Flags: review?(timeless)

    
  

        Attachment #221116 -
        Flags: review?(timeless) → review+

    
    

    
  
http://www.creativyst.com/Doc/Articles/CSV/CSV01.htm#FileFormat seems to be good enough, sorry about the latency.

    
    

    
  
Comment on attachment 221116 [details] [diff] [review]
[checked in] Escape dodgy characters for HTML & XML output

Landed. CSV fix to follow.

Don't worry about the latency, 10 days is *bloody* fast around here. ;)

        Attachment #221116 -
        Attachment description: Escape dodgy characters for HTML & XML output → [checked in] Escape dodgy characters for HTML & XML output

        Attachment #221116 -
        Attachment is obsolete: true

    
    

    
  


  
This causes the URL, filename and function names (the string parts) to be escaped in CSV profile output according to the following rules:
  - Double-quote always (for my sanity).
  - Repeat embedded double-quote marks, per CSV escaping rules.

This renders the testcase's line as:

"data:text/html,<html><head><title>'</title><textarea>""<b><script>alert(""boo"");</script></head></textarea><script>function a(){} window.setTimeout(a, 0)</script>", "title><textarea>""<b><script>alert(""boo"")", "a", 1, 2, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0

(Function name looks... wrong, but it's all safely escaped.)

        Attachment #243178 -
        Flags: review?(rginda)

    
    

    
  
Comment on attachment 243178 [details] [diff] [review]
Quote and escape CSV

r=rginda

        Attachment #243178 -
        Flags: review?(rginda) → review+

    
    

    
  
Checked in --> FIXED.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED

    
  
Product: Other Applications → Other Applications Graveyard

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: