Closed
Bug 312108
Opened 19 years ago
Closed 18 years ago
RSS icon can add javascript: URLs as live bookmarks
Categories
(Firefox Graveyard :: RSS Discovery and Preview, defect)
Tracking
(Not tracked)
VERIFIED
DUPLICATE
of bug 353734
People
(Reporter: jruderman, Unassigned)
References
Details
(Whiteboard: [sg:want P4])
Split from bug 305473. Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.9a1) Gecko/20051010 Firefox/1.6a1 The RSS icon can reference a javascript: URL. Clicking the RSS icon to add it as a live bookmark adds a live bookmark for a javascript: URL. The javascript: URL doesn't seem to ever be executed, though, so this isn't a security hole by itself.
Flags: blocking1.8rc1?
Comment 1•19 years ago
|
||
What's the case where this can be exploited?
Reporter | ||
Comment 2•19 years ago
|
||
I don't think this can be exploited. Fixing this would make things a safer for extensions that extend Live Bookmark functionality (for example, a theoretical extension that shows a Planet-like view of your Live Bookmarks) and aren't careful with URLs.
Updated•19 years ago
|
Component: Build Config → RSS Discovery and Preview
QA Contact: build.config → nobody
Comment 3•19 years ago
|
||
Vlad, when nominating a bug for RC, please provide a description about why you think the bug in question should be a stop ship bug. That helps us evaluate things quickly as we go through the list. Minusing this based on Jesse's last comment about this not being exploitable.
Flags: blocking1.8rc1? → blocking1.8rc1-
Reporter | ||
Updated•19 years ago
|
Whiteboard: [sg:want P4]
Updated•18 years ago
|
QA Contact: nobody → rss.preview
Comment 4•18 years ago
|
||
*** This bug has been marked as a duplicate of 353734 ***
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → DUPLICATE
Updated•5 years ago
|
Product: Firefox → Firefox Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•