366868 - Extension name should be escaped in JS calls

Status: VERIFIED FIXED

(addons.mozilla.org Graveyard :: Public Pages, defect)

Description

[Giorgio Maone [:ma1]]

Extensions with a single quote in their name break JavaScript in extension detail page.
While names are HTML escaped (correct), they need also to be escaped for proper usage as JS string constants, e.g. in
http://lxr.mozilla.org/mozilla/source/webtools/addons/public/tpl/addon.tpl#39

Notice that, generally speaking, this kind of bugs can theoretically be exploited for XSS attacks.
While in this very case this would need a mad reviewer approving an extension with a crazy name, scanning the templates for other instances of this pattern may be advisable (hence the security flag).

Comment 1

[Justin Scott [:fligtar]]

Attachment: escape patch

This escapes the name in JavaScript everywhere I can think of: addon.tpl, index.tpl, and recommended.tpl. The names aren't used in the dictionary JavaScript.

In addition to the slight security problem, this bug also makes the download counter not work for extensions with quotes in their name, such as the one in this bug's URL.

Comment 2

[Justin Scott [:fligtar]]

Checked in and tagged for staging/production.

Comment 3

[Justin Scott [:fligtar]]

If someone could remove webtools-security for me, it would pretty much be the best thing ever.

Comment 4

[Reed Loden [:reed]]

Done.