Closed Bug 368858 Opened 13 years ago Closed 13 years ago
Need to sanitize event dialog URL field to prevent script insertion
Whiteboard: [patch in hand][waiting on dveditz, dmose review]
Comment on attachment 253501 [details] [diff] [review] Only passes http[s] urls to the browser My understanding of dveditz' comments in person were that he gives an r+ for this. r2+ with an added XXX comment that we probably want to someday do this using the nsIURI parser instead of by hand (as suggested by dveditz :).
Patch with nits checked in on: SUNBIRD_0_3_BRANCH LIGHTNING_0_3_BRANCH MOZILLA_1_8_BRANCH trunk -> FIXED
Whiteboard: [patch in hand][waiting on dveditz, dmose review] → [fixed0.3.1]
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
yeah, r=me, but not hand-parsing would be better. Seems safe enough in this case.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.