Closed
Bug 473708
Opened 16 years ago
Closed 16 years ago
Untrusted node not wrapped in XPCNativeWrapper when accessed via 'this' in event handler
Categories
(Core :: Security, defect)
Core
Security
Tracking
()
RESOLVED
DUPLICATE
of bug 460882
People
(Reporter: rockmfr, Unassigned)
Details
(Whiteboard: [sg:dupe 460882])
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b3pre) Gecko/20090113 Shiretoko/3.1b3pre Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b3pre) Gecko/20090113 Shiretoko/3.1b3pre Let's say I'm running a script in browser.xul and do something like the following: // 'doc' is some unsafe document var main = doc.getElementById("main"); main.addEventListener("click", function(event) { alert(this); }, false); 'this' is not implicitly wrapped in an XPCNativeWrapper. I would expect that it would be wrapped. Reproducible: Always
Comment 1•16 years ago
|
||
This appears to be valid. I have chrome code as follows: function doStuff(){ var main = window.content.document.getElementById("main"); alert("main: "+main); main.addEventListener("click", function(event){ alert(this);}, false); } When I run doStuff I get an alert saying: main: [object XPCNativeWrapper [object HTMLDivElement @ 0xaf018680 (native @ 0xaf2e5220)]] But when I click on the "main" object, I get an alert saying: [object HTMLDivElement @ 0xaf018680 (native @ 0xaf2e5220)]
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment 2•16 years ago
|
||
How bad would depend on whether we have any Firefox code (or popular addon) that actually does this, but assuming the worst for now. Is this a 3.1 regression or has it been broken for a while?
Flags: wanted1.9.0.x?
Flags: blocking1.9.1?
Flags: blocking1.9.0.7?
Whiteboard: [sg:critical?]
Comment 3•16 years ago
|
||
This is effectively the same as the setTimeout issue in bug 460882, which has a patch under review.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → DUPLICATE
Updated•16 years ago
|
Flags: wanted1.9.0.x?
Flags: blocking1.9.1?
Flags: blocking1.9.0.7?
Whiteboard: [sg:critical?] → [sg:dupe 460882]
Reporter | ||
Comment 4•15 years ago
|
||
Does this still need to be hidden?
You need to log in
before you can comment on or make changes to this bug.
Description
•