CSS serialization doesn't escape characters that need escaping

NEW
Unassigned

Status

()

Core
DOM: CSS Object Model
--
minor
9 years ago
4 years ago

People

(Reporter: Jesse Ruderman, Unassigned)

Tracking

(Blocks: 1 bug, {sec-low, testcase})

Trunk
sec-low, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

9 years ago
Created attachment 358672 [details]
testcase demonstrating a bunch of escaping issues
(Reporter)

Updated

9 years ago
Blocks: 476744
Some of these are more than just escaping issues, like the IsPseudoElement function in nsCSSStyleRule.cpp, and perhaps bug 280443.
Bug 478160 and bug 481591 helped a few of the problems here, but there's still a good bit more to fix.
Depends on: 543428
QA Contact: general → style-system
Depends on: 280443
Target Milestone: --- → mozilla13
Version: Trunk → 15 Branch

Updated

5 years ago
OS: Mac OS X → All
Hardware: x86 → All
Target Milestone: mozilla13 → ---
Version: 15 Branch → Trunk
(Reporter)

Comment 3

4 years ago
This can lead to security surprises for sites that sanitize user-generated CSS per spec and then use "elem.innerHTML += ...":

http://www.slideshare.net/x00mario/the-innerhtml-apocalypse
Keywords: sec-low
(Reporter)

Updated

4 years ago
Blocks: 301375
You need to log in before you can comment on or make changes to this bug.