Closed Bug 536837 Opened 15 years ago Closed 15 years ago

XSS on HTML wrapper methods

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
minor

Tracking

()

Status:
RESOLVED DUPLICATE of bug 352437

People

(Reporter: masa141421356, Unassigned)

Details

JavaScript HTML wrapper methods [anchor(),link(),fontsize(),fontcolor()] does not escape HTML special characters. for example, "test2".fontcolor("blue\"><b>str<"+"/b>"); returns following string: <font color="blue"><b>str2</b>">test2</font> I think it is bug of web application. There are tow reasons. 1.According to HTML specification, it is not needed to accept HTML special characters for <font size="XX">, <font color="XX">, <a name="XX"> and <a href="XX"> 2.Web developers can replace them using DOM API. But it is better to write some document for web developers to avoid XSS , or implement HTML escape. # I think it is not needed to change current implementation.
Old, arguably even an ill-advised feature (allows composition of some of the methods), in any case a duplicate.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.