Closed Bug 506855 Opened 15 years ago Closed 15 years ago

Data is not escaped before being printed in validator

Categories

(addons.mozilla.org Graveyard :: Admin/Editor Tools, defect)

defect
Not set
blocker

Tracking

(Not tracked)

VERIFIED FIXED

People

(Reporter: clouserw, Assigned: rjwalsh)

References

()

Details

Attachments

(2 files)

Attached image screenshot
This is a blocker/security bug. You can reproduce at https://preview.addons.mozilla.org/en-US/developers/versions/validate/38996 but I'm attaching a screenshot anyway. There are two issues. The first is that the pattern it's matching is empty (perhaps it's not escaped either?) and the second is that it's printing out the code from the file but not escaping it. In this case, an iframe. The source of that area of the page is: <li class="warning"> <a href="https://preview.addons.mozilla.org/files/browse/22340/0/?start=chrome/content/aefirstpopup.xul"> chrome/content/aefirstpopup.xul (72)</a> : Matched Pattern: "//i" <div class="code"> <div class="line"> <separator class="thin"></separator>&nbsp;</div> <div class="line target"> <iframe id="logbox" src="chrome://attachmentextractor/content/changelogloading.xul" height="300px" width="600px"></iframe>&nbsp;</div> <div class="line">&nbsp;</div> </div> </li>
We should have a unit test for this and double check the output of all the other functions too. This is a 5.0.8 blocker.
Attachment #391183 - Flags: review?(clouserw)
Comment on attachment 391183 [details] [diff] [review] Patch with fixes and tests This fixes the bug for me, thanks.
Attachment #391183 - Flags: review?(clouserw) → review+
Committed r30602
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Group: client-services-security
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: