Closed
Bug 311962
Opened 19 years ago
Closed 19 years ago
eval(code, Components) allows XSS attacks
Categories
(Core :: Security, defect)
Core
Security
Tracking
()
RESOLVED
DUPLICATE
of bug 311892
People
(Reporter: sync2d, Assigned: mrbkap)
References
Details
(Whiteboard: [sg:high] xss (splitwindows) dupe of 311892?)
Attachments
(1 file)
985 bytes,
text/html
|
Details |
eval(code, Components) allows XSS attacks since Components.__parent__ refers to the outer window object. see also: bug 298315, bug 311024
Works on: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.9a1) Gecko/20051008 Firefox/1.6a1
Comment 2•19 years ago
|
||
Is this essentially testcase 1 of bug 311892? Components.__parent__.__proto__ === window.__proto__ One way or another we want this fixed with the splitwindows loopholes.
Assignee: dveditz → mrbkap
Blocks: sbb?
Status: UNCONFIRMED → NEW
Depends on: splitwindows, 311024
Ever confirmed: true
Flags: blocking1.8rc1+
Flags: blocking1.7.13+
Flags: blocking-aviary1.0.8+
Whiteboard: [sg:high] xss (splitwindows) dupe of 311892?
Assignee | ||
Comment 3•19 years ago
|
||
I'm going to mark this bug a duplicate of bug 311892. The hack-patch that I tried out earlier with Brendan watching also fixed this testcase. I'll ensure that the final patch fixes all testcases in both bugs. *** This bug has been marked as a duplicate of 311892 ***
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
Updated•19 years ago
|
Flags: blocking1.8rc1+
Flags: blocking1.7.13+
Flags: blocking-aviary1.0.8+
Updated•19 years ago
|
Group: security
You need to log in
before you can comment on or make changes to this bug.
Description
•