473708 - Untrusted node not wrapped in XPCNativeWrapper when accessed via 'this' in event handler

Status: RESOLVED DUPLICATE of bug 460882

(Core :: Security, defect)

Description

[Michael Ryan]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b3pre) Gecko/20090113 Shiretoko/3.1b3pre
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b3pre) Gecko/20090113 Shiretoko/3.1b3pre

Let's say I'm running a script in browser.xul and do something like the following:

// 'doc' is some unsafe document
var main = doc.getElementById("main");
main.addEventListener("click", function(event)
{
  alert(this);
}, false);

'this' is not implicitly wrapped in an XPCNativeWrapper. I would expect that it would be wrapped.

Reproducible: Always

Comment 1

[Brandon Sterne (:bsterne)]

This appears to be valid.  I have chrome code as follows:

function doStuff(){
    var main = window.content.document.getElementById("main");
    alert("main: "+main);
    main.addEventListener("click", function(event){ alert(this);}, false);
}

When I run doStuff I get an alert saying:
main: [object XPCNativeWrapper [object HTMLDivElement @ 0xaf018680 (native @ 0xaf2e5220)]]

But when I click on the "main" object, I get an alert saying:
[object HTMLDivElement @ 0xaf018680 (native @ 0xaf2e5220)]

Comment 2

[Daniel Veditz [:dveditz]]

How bad would depend on whether we have any Firefox code (or popular addon) that actually does this, but assuming the worst for now. Is this a 3.1 regression or has it been broken for a while?

Comment 3

[Daniel Veditz [:dveditz]]

This is effectively the same as the setTimeout issue in bug 460882, which has a patch under review.

Comment 4

[Michael Ryan]

Does this still need to be hidden?

Comment 5

[Blake Kaplan (:mrbkap) (inactive)]

No it doesn't.