Closed Bug 422609 Opened 16 years ago Closed 3 years ago

Evaluating Javascript with leading spaces fails in some cases

Categories

(Core :: General, defect)

Product:
Core
Component:
General
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: c.ziegenberg, Unassigned)

References

Details

Attachments

(1 file)

File demonstating the leading space problem
383 bytes, text/html
Details 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; de-DE; rv:1.9b4) Gecko/2008030714 Firefox/3.0b4
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; de-DE; rv:1.9b4) Gecko/2008030714 Firefox/3.0b4

Evaluating Havascript code like "JavaScript: alert('hallo1');" works fine, but when reading the same content from an action of a form (and sure also in other cases) the space in this code is formatted as "%20".

The value called then is "javascript:%20alert('hallo1');", and this causes an error.

I'll add a html page demonstrating this problem.

Reproducible: Always

Steps to Reproduce:
1. open th html file
2. click on the text
Actual Results:  
You get 2 alerts, the third fails in version 3.0b4

Expected Results:  
You should get 3 alerts

Of course this can be fixed by changing the code, but this takes time and some pages cannot be used anymore because of this bug (or behaviour).
Error: syntax error
Source File: https://bugzilla.mozilla.org/attachment.cgi?id=309063
Line: 12, Column: 11
Source Code:
javascript:%20alert('hallo3');

Range: http://bonsai.mozilla.org/cvsquery.cgi?module=PhoenixTinderbox&date=explicit&mindate=2007-07-22+20%3A00&maxdate=2007-07-23+23%3A00

I think it is Bug 389106.
Blocks: CVE-2007-3845
Status: UNCONFIRMED → NEW
Ever confirmed: true
Product: Firefox → Core
QA Contact: general → general
The fix may be to unescape the URL before evaluating the JS in it, or to make sure that the javascript: URL don't go through the external code path etc..
JS URIs are already being unescaped, see nsJSProtocolHandler.cpp:217. Also, they don't go through the external protocol handler.
Fx trunk returned same escaped version(space is escaped) to document.links['lnk'].href for javasctipt: link.
> <a id="lnk" name="lnk" href="javascript: alert('\\a b c\\');">click here</a>
> Result of document.links['lnk'].href :
>  javascript:%20alert('\\a%20b%20c\\');
> (Note: when link click, no problem.)

document.forms['name_of_a_form'].action and document.links['name_of_a_link'].href  won't return string in action or href attribute. It returns;
  a. full path version when relative path in href/action attribute
  b. escaped version
  c. when file: URI and when MS Win, \ in file path is converted to "/"
  (b. & c. are for quirks or security or safety)
So user should use combination of document.getElementById("id_of_tag") and getAttribute("attribute_name"), if user want to know text string in the attribute.
However, I feel escaping of a space to %20 is too aggressive when javascript: URI. And I think it'll break compatibility with Mozilla & Fx 1/2 & Seamonkey 1 (and IE).


To bug opener & all comment posters:

If escaping of a space in javascript: URI of document.forms['form_name'].action and document.links['link_name'].href will break many Web sites, it's compatibility issue and Fx's behavior is better to be changed back to "not escape a space when javascript: URI". But if not so many sites are affected, I believe this bug is Evange bug.
What do you think?

I used the google code search and searched for:
(action|href)=("|')?javascript:\s

This returned thousands of matches:
http://www.google.com/codesearch?hl=en&lr=&q=%22href%3Djavascript%3A+%22&btnG=Search

I think this will be a problem for a lot of users.
The above link has been refomatted and won't work - search yourself for the mentioned string at http://www.google.com/codesearch

Closing this as resolved:worksforme, I am not able to reproduce this issue with the attached testcase on the latest Firefox Release 93.0 on MacOS 10.15. If this issue is still reproducible for you, please do re-open it.

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: