524329 - docshell.allowJavascript does not disable JavaScript in inline event handlers

Status: UNCONFIRMED

(Core :: DOM: Navigation, defect)

Description

[Christopher Finke]

User-Agent:       Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3

Given an XUL <editor> tag with a src file loaded from a chrome:// URL, the following HTML will result in an alert box:

<img src="http://www.google.com/intl/en_ALL/images/logo.gif" onload="alert(1);" />

even when this code:

editor.docShell.allowJavascript = false;

is executed.

This is of special importance to me, as a ScribeFire user could be the victim of an attack by being persuaded to drag and drop an image from a webpage into ScribeFire that contains a malicious onload="" event handler.

A workaround is indeed to load the editor content from a data URL, but this doesn't work for me, since I need to allow users to drag images from their hard drive into the editor, and a data-url-powered editor won't display these images.

Reproducible: Always

Comment 1

[Boris Zbarsky [:bzbarsky]]

So hold on.  What's the setup here?  You have an <editor>, right?  Does it have a type attribute set?  At what point do you do |editor.docShell.allowJavascript = false|?

Can you just attach a small testcase (either to be run as -chrome or as a Firefox extension) showing the problem?

Comment 2

[Christopher Finke]

Attachment: Proof of concept of this bug.

Here's a testcase as an add-on.  It shows an editor, a textarea, and a button.  

Clicking the button will copy the HTML in the textarea into the editor's content document.

editor.docShell.allowJavascript is set to false in an onload handler, so no Javascript you put into the textarea should execute after the button is pressed, but it does if you put it into the onload="" of an <img> tag.