Last Comment Bug 475216 - CSS serialization doesn't escape characters that need escaping
: CSS serialization doesn't escape characters that need escaping
Status: NEW
: sec-low, testcase
Product: Core
Classification: Components
Component: DOM: CSS Object Model (show other bugs)
: Trunk
: All All
: -- minor with 4 votes (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
:
Mentors:
Depends on: 280443 543428
Blocks: xss 476744
  Show dependency treegraph
 
Reported: 2009-01-24 20:14 PST by Jesse Ruderman
Modified: 2013-04-25 14:20 PDT (History)
9 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
testcase demonstrating a bunch of escaping issues (234 bytes, text/html)
2009-01-24 20:14 PST, Jesse Ruderman
no flags Details

Description Jesse Ruderman 2009-01-24 20:14:02 PST
Created attachment 358672 [details]
testcase demonstrating a bunch of escaping issues
Comment 1 David Baron :dbaron: ⌚️UTC-7 (review requests must explain patch) 2009-02-11 17:30:04 PST
Some of these are more than just escaping issues, like the IsPseudoElement function in nsCSSStyleRule.cpp, and perhaps bug 280443.
Comment 2 David Baron :dbaron: ⌚️UTC-7 (review requests must explain patch) 2009-03-17 07:38:36 PDT
Bug 478160 and bug 481591 helped a few of the problems here, but there's still a good bit more to fix.
Comment 3 Jesse Ruderman 2013-04-25 14:19:18 PDT
This can lead to security surprises for sites that sanitize user-generated CSS per spec and then use "elem.innerHTML += ...":

http://www.slideshare.net/x00mario/the-innerhtml-apocalypse

Note You need to log in before you can comment on or make changes to this bug.