Closed Bug 350830 Opened 18 years ago Closed 18 years ago

Remove x-u-escape encoder/decoder

Categories

(Core :: Internationalization, defect)

Product:
Core
Component:
Internationalization
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: smontagu, Assigned: smontagu)

References

Details

(Keywords: verified1.8.0.12, verified1.8.1.4, Whiteboard: [sg:want] XSS risk for sites)

Attachments

(2 files)

script testcase
227 bytes, text/html; charset=x-u-escaped
Details
Remove it
10.30 KB, patch
jshin1987
: review+
dveditz
: superreview+
dveditz
: approval1.8.1.4+
dveditz
: approval1.8.0.12+
Details | Diff | Splinter Review 
I'm not sure why we even have an x-u-escape decoder and encoder. As far as I know it's not used in web pages. http://www.mozilla.org/projects/l10n/mlp_tools.html mentions that it can be used with stand alone nsconv to convert properties and javascript files, but there are other tools that can do that.

There is also a possible XSS vulnerablity, which I will attach a testcase for instanter.
Attached file script testcase 

    
    

    
  
If we retain the decoder, we could perhaps eliminate the ASCII-spoofing vulnerability by only allowing u-escaped characters outside the ASCII range.

    
  
Blocks: 336553

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Remove itSplinter Review
      

    


  

        Attachment #236836 -
        Flags: superreview?(dveditz)

        Attachment #236836 -
        Flags: review?(jshin1987)

    
    

    
  
Comment on attachment 236836 [details] [diff] [review]
Remove it

r=jshin 
Yes, I'm all for removing it.

        Attachment #236836 -
        Flags: review?(jshin1987) → review+

    
    

    
  
Comment on attachment 236836 [details] [diff] [review]
Remove it

sr=dveditz

        Attachment #236836 -
        Flags: superreview?(dveditz) → superreview+

    
    

    
  
Checked in.
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED

        Attachment #236211 -
        Attachment mime type: text/html → text/html; charset=x-u-escaped

    
  
Blocks: xss
Whiteboard: [sg:want] XSS risk for sites

    
    

    
  
Should be able to remove this on the 1.8 branch without affecting anyone, right?
Flags: blocking1.8.1.4?
Flags: blocking1.8.0.12?

    
    

    
  
Right, it shouldn't be a problem.
Flags: blocking1.8.1.4?
Flags: blocking1.8.1.4+
Flags: blocking1.8.0.12?
Flags: blocking1.8.0.12+

    
  

        Attachment #236836 -
        Flags: approval1.8.1.4?

        Attachment #236836 -
        Flags: approval1.8.0.12?
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+

    
    

    
  
Comment on attachment 236836 [details] [diff] [review]
Remove it

approved for 1.8.0.12 and 1.8.1.4, a=dveditz

        Attachment #236836 -
        Flags: approval1.8.1.4?

        Attachment #236836 -
        Flags: approval1.8.1.4+

        Attachment #236836 -
        Flags: approval1.8.0.12?

        Attachment #236836 -
        Flags: approval1.8.0.12+

    
  
Keywords: fixed1.8.0.12, 
          
            fixed1.8.1.4

    
    

    
  
v.fixed on 1.8 and 1.8.0 branches with 2.0.0.4rc3 and 1.5.0.12rc2.
Keywords: fixed1.8.0.12, 
          
            fixed1.8.1.4verified1.8.0.12, 
          
            verified1.8.1.4
Group: security

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: