Closed Bug 437618 Opened 17 years ago Closed 17 years ago

legacy String methods may expose sites to XSS (aka, the most silly bug ever)

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
trivial

Tracking

()

Status:
RESOLVED DUPLICATE of bug 352437

People

(Reporter: lcamtuf, Unassigned)

Details

Ok, this might be the dumbest thing I've ever spotted, and I'm filing it for your amusement, mostly... Javascript String class supports a number of legacy functions such as .anchor, .fontcolor, etc, to somehow "simplify" generating HTML. Of what use they would be, what do they simplify, or why would anyone in their right mind put them in String is beyond me. However, if these are ever, by a stretch of imagination, ever used by anyone to actually select font colors, sizes, or produce other bits of HTML on attacker-controlled input - well, these are trivially vulnerable to cross site scripting due to insufficient escaping, and would expose the site that relies on this in an unexpected and undocumented manner. Amusingly enough, the same brokenness is populated across MSIE, Firefox, Safari, and Opera. javascript:"foo".anchor("hello\"><script>alert(1)</script>") javascript:"foo".fontcolor("hello\"><script>alert(1)</script>") javascript:"foo".fontsize("hello\"><script>alert(1)</script>") javascript:"foo".link("hello\"><script>alert(1)</script>") You probably want to fix it (or just kill these altogether). /mz
I think this is a dup of bug 352437, and given its longstandingness and ease of discovery I don't really think it needs to be hidden. Anyone disagree?
Assignee: nobody → general
Component: Security → JavaScript Engine
Product: Firefox → Core
QA Contact: firefox → general
Version: 2.0 Branch → Trunk
I agree with Waldo.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → DUPLICATE
Oopsey - yeah, I don't think it needs to be hidden.
Group: security
You need to log in before you can comment on or make changes to this bug.