Closed
Bug 352437
Opened 18 years ago
Closed 12 years ago
string.link does not escape url
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla17
People
(Reporter: jruderman, Assigned: Ms2ger)
References
Details
(Keywords: dev-doc-complete, sec-want, testcase, Whiteboard: [sg:want])
Attachments
(3 files)
2.52 KB,
patch
|
jorendorff
:
review+
|
Details | Diff | Splinter Review |
4.59 KB,
patch
|
Details | Diff | Splinter Review | |
1.73 KB,
patch
|
jorendorff
:
review+
|
Details | Diff | Splinter Review |
js> "foo".link("http://www.google.com/search?q=foo&num=100")
<a href="http://www.google.com/search?q=foo&num=100">foo</a>
In HTML, & in links needs to be escaped as &
Updated•18 years ago
|
Assignee: general → jwalden+bmo
Reporter | ||
Comment 1•18 years ago
|
||
This is worse than I thought: the double-quote character (") isn't escaped either. This caused an XSS hole in mozilla.com (bug 357750), where the developer assumed that String.link was an API for creating a link from any link text and URL. I think we should meet that assumption (rather than telling developers not to use String.link or to escape or sanitize text passed to it), but we'd need to get other browser vendors to fix their String.link implementations too for that problem to really go away.
Updated•17 years ago
|
Assignee: jwalden+bmo → general
Comment 3•16 years ago
|
||
As pointed out in bug 437618 the problem is not limited to .link(), it's all the HTML-helper string methods. e.g.
> javascript:"foo".anchor("hello\"><script>alert(1)</script>")
> javascript:"foo".fontcolor("hello\"><script>alert(1)</script>")
> javascript:"foo".fontsize("hello\"><script>alert(1)</script>")
> javascript:"foo".link("hello\"><script>alert(1)</script>")
Comment 4•16 years ago
|
||
It's not clear that we can fix this, but we'll mark it for investigation.
Flags: wanted1.9.1? → wanted1.9.1+
Updated•16 years ago
|
OS: Mac OS X → All
Hardware: Macintosh → All
Assignee | ||
Updated•12 years ago
|
Assignee: general → Ms2ger
Comment 7•12 years ago
|
||
Here’s a spec for the non-standard string extensions; an attempt to get
browsers to align their implementations:
http://mathias.html5.org/specs/javascript/#escapeattributevalue
It only requires escaping U+0022 QUOTATION MARK as " (not U+0026
AMPERSAND as &) — see note below for the reasoning behind this.
Tests: http://mathias.html5.org/tests/javascript/string/
(In reply to Robert Sayre from comment #4)
> It's not clear that we can fix this, but we'll mark it for investigation.
Note that WebKit does escape U+0022 QUOTATION MARK as ". It also escapes
U+0027 APOSTROPHE as ', although that seems pointless. It doesn’t escape
U+0026 AMPERSAND, though. No browser does.
As it doesn’t seem to cause any compatibility problems for WebKit, it seems
possible to fix the " issue. I’m afraid the & “issue” is harder to
fix, as there’s no precedent.
Comment 8•12 years ago
|
||
I agree we shouldn't change &. There may be sites that "do the right thing" and escape both & and " before using these methods, that would break if we start escaping &. It also means it is harder for sites to plug their XSS hole for legacy browsers if new browsers start escaping &.
Escaping " seems like a good thing to do, IMHO.
Comment 9•12 years ago
|
||
My previous comment (comment 7) should’ve said V8 instead of WebKit.
For some reason I’m not allowed to add these URLs to the “See Also” list, so here goes:
* Safari/JavaScriptCore: https://bugs.webkit.org/show_bug.cgi?id=90667
* IE/Chakra: https://connect.microsoft.com/IE/feedback/details/752391
* Opera/Carakan: https://bugs.opera.com/browse/CORE-47348 (DSK-369206/CORE-47348)
Assignee | ||
Comment 11•12 years ago
|
||
For ever so slightly faster code
Attachment #639680 -
Flags: review?(jorendorff)
Assignee | ||
Comment 12•12 years ago
|
||
For better conforming code.
Attachment #639681 -
Flags: review?(jorendorff)
Comment 13•12 years ago
|
||
Comment 14•12 years ago
|
||
Comment on attachment 639680 [details] [diff] [review]
Part b: Get rid of some strlen() calls
We shouldn't optimize stuff like this. It's better to do the slow thing than to have the compiler spit out a dozen instantiations of a template.
If you really want to eliminate the strlen calls, make tagify_impl take beginLen and endLen as arguments (it can assert that those arguments are actually equal to strlen(begin) and strlen(end)), then make an inline function template that uses this trick to pass them in. Then measure the perf difference. This doesn't seem worth the effort to me though.
Attachment #639680 -
Flags: review?(jorendorff)
Comment 15•12 years ago
|
||
Comment on attachment 639678 [details] [diff] [review]
Part a: Use StringBuffer
Review of attachment 639678 [details] [diff] [review]:
-----------------------------------------------------------------
r=me with or without the changes.
::: js/src/jsstr.cpp
@@ +2791,1 @@
> taglen += 2 + parlen + 1; /* '="param"' */
Feel free to eliminate the temporary entirely (and then the curly braces here).
@@ +2799,5 @@
> return false;
> +
> + sb.infallibleAppend('<');
> +
> + MOZ_ALWAYS_TRUE(sb.appendInflated(begin, beglen));
Feel free to add methods to vm/StringBuffer.h:
inline void infallibleAppendInflated(const char *cstr, size_t len);
inline void infallibleAppend(JSLinearString *str);
that do this assertion.
Attachment #639678 -
Flags: review?(jorendorff) → review+
Updated•12 years ago
|
Attachment #639681 -
Flags: review?(jorendorff) → review+
Assignee | ||
Comment 16•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/75b38c234582
https://hg.mozilla.org/mozilla-central/rev/355e0e643065
Status: NEW → RESOLVED
Closed: 12 years ago
Keywords: dev-doc-needed
Resolution: --- → FIXED
Target Milestone: --- → mozilla17
Comment 17•12 years ago
|
||
Backed out with the mass tree revert to get rid of the OS X M5 orange:
https://hg.mozilla.org/mozilla-central/rev/c801b99d726f
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Comment 18•12 years ago
|
||
Comment 19•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/1fc4a72e45f7
https://hg.mozilla.org/mozilla-central/rev/65e5f28b578c
Status: REOPENED → RESOLVED
Closed: 12 years ago → 12 years ago
Resolution: --- → FIXED
Comment 20•12 years ago
|
||
Mentioned on
https://developer.mozilla.org/en-US/docs/Firefox_17_for_developers
https://developer.mozilla.org/en-US/docs/JavaScript/Reference/Global_Objects/String/link
https://developer.mozilla.org/en-US/docs/JavaScript/Reference/Global_Objects/String/anchor
Keywords: dev-doc-needed → dev-doc-complete
You need to log in
before you can comment on or make changes to this bug.
Description
•