Closed Bug 422609 Opened 17 years ago Closed 3 years ago

Evaluating Javascript with leading spaces fails in some cases

Categories

(Core :: General, defect)

Product:
Core
Component:
General
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: c.ziegenberg, Unassigned)

References

Details

Attachments

(1 file)

File demonstating the leading space problem
383 bytes, text/html
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de-DE; rv:1.9b4) Gecko/2008030714 Firefox/3.0b4 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; de-DE; rv:1.9b4) Gecko/2008030714 Firefox/3.0b4 Evaluating Havascript code like "JavaScript: alert('hallo1');" works fine, but when reading the same content from an action of a form (and sure also in other cases) the space in this code is formatted as "%20". The value called then is "javascript:%20alert('hallo1');", and this causes an error. I'll add a html page demonstrating this problem. Reproducible: Always Steps to Reproduce: 1. open th html file 2. click on the text Actual Results: You get 2 alerts, the third fails in version 3.0b4 Expected Results: You should get 3 alerts Of course this can be fixed by changing the code, but this takes time and some pages cannot be used anymore because of this bug (or behaviour).
Error: syntax error Source File: https://bugzilla.mozilla.org/attachment.cgi?id=309063 Line: 12, Column: 11 Source Code: javascript:%20alert('hallo3'); Range: http://bonsai.mozilla.org/cvsquery.cgi?module=PhoenixTinderbox&date=explicit&mindate=2007-07-22+20%3A00&maxdate=2007-07-23+23%3A00 I think it is Bug 389106.
Blocks: CVE-2007-3845
Status: UNCONFIRMED → NEW
Ever confirmed: true
Product: Firefox → Core
QA Contact: general → general
The fix may be to unescape the URL before evaluating the JS in it, or to make sure that the javascript: URL don't go through the external code path etc..
JS URIs are already being unescaped, see nsJSProtocolHandler.cpp:217. Also, they don't go through the external protocol handler.
Fx trunk returned same escaped version(space is escaped) to document.links['lnk'].href for javasctipt: link. > <a id="lnk" name="lnk" href="javascript: alert('\\a b c\\');">click here</a> > Result of document.links['lnk'].href : > javascript:%20alert('\\a%20b%20c\\'); > (Note: when link click, no problem.) document.forms['name_of_a_form'].action and document.links['name_of_a_link'].href won't return string in action or href attribute. It returns; a. full path version when relative path in href/action attribute b. escaped version c. when file: URI and when MS Win, \ in file path is converted to "/" (b. & c. are for quirks or security or safety) So user should use combination of document.getElementById("id_of_tag") and getAttribute("attribute_name"), if user want to know text string in the attribute. However, I feel escaping of a space to %20 is too aggressive when javascript: URI. And I think it'll break compatibility with Mozilla & Fx 1/2 & Seamonkey 1 (and IE).
To bug opener & all comment posters: If escaping of a space in javascript: URI of document.forms['form_name'].action and document.links['link_name'].href will break many Web sites, it's compatibility issue and Fx's behavior is better to be changed back to "not escape a space when javascript: URI". But if not so many sites are affected, I believe this bug is Evange bug. What do you think?
I used the google code search and searched for: (action|href)=("|')?javascript:\s This returned thousands of matches: http://www.google.com/codesearch?hl=en&lr=&q=%22href%3Djavascript%3A+%22&btnG=Search I think this will be a problem for a lot of users.
The above link has been refomatted and won't work - search yourself for the mentioned string at http://www.google.com/codesearch

Closing this as resolved:worksforme, I am not able to reproduce this issue with the attached testcase on the latest Firefox Release 93.0 on MacOS 10.15. If this issue is still reproducible for you, please do re-open it.

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: