Closed Bug 411483 Opened 18 years ago Closed 15 years ago

Timestamp string in directory list should be html escaped

Categories

(Firefox :: File Handling, defect)

Product:
Firefox
Component:
File Handling
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
minor

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: masa141421356, Unassigned)

Details

(Whiteboard: [CLOSEME 2010-11-15])

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11 Current directory list uses result of FormatPRTime(). But , Its result can contain HTML special characters. So, It is needed to HTML escape. Reproducible: Always Steps to Reproduce: 1.At Windows, set your Shor Date format as "yy/mm/dd'<script>alert(window.title)</script>'" in Control Panel. 2.Show directory list of your local directory. 3. Actual Results: Script will run. Expected Results: Script should not run.
Summary: Timestamp string should be html escaped → Timestamp string in directory list should be html escaped
Also reproduced at Fx2.0.0.11/WinXP
Also reproduced at Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b3pre) Gecko/2008010813 Minefield/3.0b3pre
Also reproduced in Opera... I'm totally playing this trick on friends using a random image url generator :P
This bug was reported using Firefox 3.0 or older, which is no longer supported. The bug has also not been changed in over 500 days and is still in UNCO. Reporter, please retest this bug in Firefox 3.6.10 or later using a fresh profile, http://support.mozilla.com/en-US/kb/managing+profiles. If you still see this problem, please update the bug. If you no longer see the bug, please set the resolution to RESOLVED, WORKSFORME. This is a mass search of unconfirmed bugs that have no activity on them, so if you feel a bug was marked in error, just remove the CLOSEME comment in the whiteboard within the next month.
Whiteboard: [CLOSEME 2010-11-15]
No reply, INCOMPLETE. Please retest with Firefox 3.6.12 or later and a new profile (http://support.mozilla.com/kb/Managing+profiles). If you continue to see this issue with the newest firefox and a new profile, then please comment on this bug.
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → INCOMPLETE
I've confirmed this issue is reproduced on Mozilla/5.0 (Windows NT 5.1; rv:2.0b10pre) Gecko/20110114 Firefox/4.0b10pre Build ID: 20110114030359, and Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13 Build ID: 20101203075014.
You need to log in before you can comment on or make changes to this bug.