Even escaped HTML code is rendered partly in the feed preview.

VERIFIED INCOMPLETE

Status

()

VERIFIED INCOMPLETE
10 years ago
9 years ago

People

(Reporter: max.vogler, Unassigned)

Tracking

3.0 Branch
x86
Windows XP
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:needinfo])

Attachments

(2 attachments)

(Reporter)

Description

10 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1

HTML is parsed partly( <img> is parsed, <script> not ) even if it's escaped. This is extremely dangerous for websites that allow RSS feeds for user generated content. A evil user who submits an image like <img src="http://evil.org/track_ip.php"> is able to find out the IP of everyone that previews the feed.

Reproducible: Always

Steps to Reproduce:
1. find a feed which contains escaped html and preview it in firefox
Actual Results:  
Images and other escaped(!) HTML is rendered, scripts not

Expected Results:  
No escaped HTML should be rendered.

<![CDATA[<b>this text should be bold</b>]]>
<![CDATA[&lt;b&gt; this text shouldn't be..
(Reporter)

Updated

10 years ago
Version: unspecified → 3.0 Branch
Created attachment 340466 [details]
WFM testcase

This testcase, with <![CDATA[&lt;b&gt;..., works for me - the preview displays <b>Am I bold?</b> in trunk and 3.0.2. Can you attach a testcase feed that demonstrates what you are seeing?

Updated

10 years ago
Whiteboard: [sg:needinfo]
Created attachment 343761 [details]
Also WFM testcase

Title and description, channel and item, none of it being double-unescaped and rendered.

Max, we really need an attached testcase that shows what you're seeing, to be able to do anything here.
After a month probably not going to get any more information
Group: core-security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → INCOMPLETE
Verifying incomplete.  If it can be reproduced in Firefox 3.5 or 3.6 and more information is provided, we will reopen.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.