legacy String methods may expose sites to XSS (aka, the most silly bug ever)

RESOLVED DUPLICATE of bug 352437

Status

()

--
trivial
RESOLVED DUPLICATE of bug 352437
11 years ago
7 years ago

People

(Reporter: lcamtuf, Unassigned)

Tracking

Trunk
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

11 years ago
Ok, this might be the dumbest thing I've ever spotted, and I'm filing it for your amusement, mostly... 

Javascript String class supports a number of legacy functions such as .anchor, .fontcolor, etc, to somehow "simplify" generating HTML. Of what use they would be, what do they simplify, or why would anyone in their right mind put them in String is beyond me.

However, if these are ever, by a stretch of imagination, ever used by anyone to actually select font colors, sizes, or produce other bits of HTML on attacker-controlled input - well, these are trivially vulnerable to cross site scripting due to insufficient escaping, and would expose the site that relies on this in an unexpected and undocumented manner. Amusingly enough, the same brokenness is populated across MSIE, Firefox, Safari, and Opera.

javascript:"foo".anchor("hello\"><script>alert(1)</script>")
javascript:"foo".fontcolor("hello\"><script>alert(1)</script>")
javascript:"foo".fontsize("hello\"><script>alert(1)</script>")
javascript:"foo".link("hello\"><script>alert(1)</script>")

You probably want to fix it (or just kill these altogether).

/mz

Comment 1

11 years ago
I think this is a dup of bug 352437, and given its longstandingness and ease of discovery I don't really think it needs to be hidden.  Anyone disagree?
Assignee: nobody → general
Component: Security → JavaScript Engine
Product: Firefox → Core
QA Contact: firefox → general
Version: 2.0 Branch → Trunk

Comment 2

11 years ago
I agree with Waldo.
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 352437
(Reporter)

Comment 3

11 years ago
Oopsey - yeah, I don't think it needs to be hidden.
Group: security
You need to log in before you can comment on or make changes to this bug.