Extension name should be escaped in JS calls

VERIFIED FIXED

Status

addons.mozilla.org Graveyard
Public Pages
--
major
VERIFIED FIXED
11 years ago
2 years ago

People

(Reporter: mao, Assigned: fligtar)

Tracking

Details

(URL)

Attachments

(1 attachment)

(Reporter)

Description

11 years ago
Extensions with a single quote in their name break JavaScript in extension detail page.
While names are HTML escaped (correct), they need also to be escaped for proper usage as JS string constants, e.g. in
http://lxr.mozilla.org/mozilla/source/webtools/addons/public/tpl/addon.tpl#39

Notice that, generally speaking, this kind of bugs can theoretically be exploited for XSS attacks.
While in this very case this would need a mad reviewer approving an extension with a crazy name, scanning the templates for other instances of this pattern may be advisable (hence the security flag).
(Assignee)

Comment 1

11 years ago
Created attachment 251620 [details] [diff] [review]
escape patch

This escapes the name in JavaScript everywhere I can think of: addon.tpl, index.tpl, and recommended.tpl. The names aren't used in the dictionary JavaScript.

In addition to the slight security problem, this bug also makes the download counter not work for extensions with quotes in their name, such as the one in this bug's URL.
Assignee: nobody → fligtar
Status: NEW → ASSIGNED
Attachment #251620 - Flags: first-review?(morgamic)
(Assignee)

Updated

11 years ago
Component: Add-ons → Public Pages
QA Contact: add-ons → web-ui
Attachment #251620 - Flags: first-review?(morgamic) → first-review+
(Assignee)

Comment 2

11 years ago
Checked in and tagged for staging/production.
Status: ASSIGNED → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED
(Assignee)

Comment 3

11 years ago
If someone could remove webtools-security for me, it would pretty much be the best thing ever.
Group: update-security
Status: RESOLVED → VERIFIED
Done.
Group: webtools-security
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.