Open Bug 459561 Opened 13 years ago Updated 13 years ago
Eval textbox is revealed to the user if Page Style is set to "No Style"
A hidden textbox with (presumably) scripts to evaluate is hidden on the page. But it is hidden with a CSS "display: none" rule. Therefore, if I turn off CSS styles I can see and freely edit the contents of the textbox. Uh oh. I don't think there's any difference functionally between a HTML input and a XUL textbox.
Attachment #342779 - Flags: review?(zeniko)
Comment on attachment 342779 [details] [diff] [review] Patch That textbox contains the state of the crashed session which is automatically saved by SessionStore in case of a repeated crash. XUL textboxes OTOH aren't saved at all, unless they're special-cased in nsSessionStore.js (which we currently do for about:config). This change requires special-casing as well...
Attachment #342779 - Flags: review?(zeniko) → review-
BTW: Changing the content of that textbox would be equivalent to editing sessionstore.js which the user could do anyway. So I'm not sure what this change would gain us. Should we still want this change, please remove the current special-casing of about:sessionrestore in nsSessionStore.js.
I don't suppose <input type="hidden"> would work would it?
Sorry, I hadn't seen your comment in bug 459550.
You need to log in before you can comment on or make changes to this bug.