293875 - data: URI invisible in source view. Only visible when highlighted.

Status: RESOLVED DUPLICATE of bug 235344

(Toolkit :: View Source, defect)

Description

[Thomas Rathbone]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4

The page contains images encoded in data: uri strings using CGI escaping.  The
strings are white/hidden in the source view.

Could this be a potential (admittedly very minor) security problem?  If content
is on the page but invisible in the source view surely this poses a problem as
the source view is often relied on to verify the authenticity of a site and it's
images (e.g doe the paypal image come from the paypal domain?).

Reproducible: Always

Steps to Reproduce:
1. Visit http://redhanded.hobix.com/inspect/sparklinesForMinimalists.html
2. View source.
3. Try to find the image data encoded in the data uri
4. Highlight to see that it is actually there but white for some reason.

N.b. this does not seem to occur on all data uris only some.  Not sure of the
distiguishing detail, perhaps length.

Actual Results:  
Text was there but was white/hidden from viewer

Expected Results:  
all URI content should be visible

Comment 1

[Daniel C]

Status -> NEW

I first noticed this on the Acid2 Test page. Also sometimes, when you highlight
it, you still cannot see the text.

Ways to reproduce this with the given URL: View-Source: Scroll to the right
about 5 times. Notice that the page is very wide. Scroll up all the way from the
bottom to the top. Notice that nothing is seen.

Another way: Try and Find (FAYT) "data:image" (minus quotes.) Notice that the
text gets highlighted, but that it cannot be seen.

Comment 2

[PikeUK]

Until I read comment 1 I was about to mark this a duplicate of Bug 235344. Since
I can't find any data: URIs longer than 4096 in Acid 2 I'm not so sure now.

Comment 3

[Xanthor Sccas]

Works for me on GNU/Linux (Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8b2)
Gecko/20050510)

But right-click+"view image" and right-click+"properties" on the data:URI image
don't work : nothing happens (contrary to Moz1.8b1)

Comment 4

[PikeUK]

(In reply to comment #3)
> But right-click+"view image" and right-click+"properties" on the data:URI image
> don't work : nothing happens (contrary to Moz1.8b1)

That sounds like part of Bug 293758.

Comment 5

[Daniel C]

Attachment: Testcase.

Testcase. On my Windows XP at home, when viewing source on this page, the first
line is OK, the second line is invisible (only 1 character longer,) and the
third image is the data:image taken from the URL. It is also invisible.

The weird thing is, line 1 is more than 4 096 characters long (4 679,) but
renders OK in view-source. The next line doesn't.

4 679 is equal to ((2^12) + (2^9) + (2^6) + (2^3) - 1)

Notice the 12, 9, 6, 3 sequence...

Strange. Another strange thing, is that everything is visible in Windows 2 000.
Or Linux. On XP.

Comment 6

[Uri Bernstein]

(In reply to comment #2)
> Until I read comment 1 I was about to mark this a duplicate of Bug 235344. Since
> I can't find any data: URIs longer than 4096 in Acid 2 I'm not so sure now.

The limit for visibility is not necessarily 4096 characters, but a certain
pixel-size. You can verify this by using Ctrl-+ and Ctrl-- to play with the font
size when viewing e.g. the testcase attached to this bug (or those attached to
235344), and see how lines appear (when the font size becomes smaller) or
disappear (when it becomes larger).

So I certainly think this is a duplicate of bug 235344 (or perhaps of bug 92193.
They all seem to be the same issue).

Comment 7

[Daniel C]

Quite true! I can now reproduce it on Windows 2 000 by increasing the text-size.

Comment 8

[Phil Ringnalda (:philor)]

*** This bug has been marked as a duplicate of 235344 ***