(In reply to comment #1) > I think Ehsan's work in bug 520189 might fix this... I don't think so. That bug only changes the behavior of the editor. BTW, shouldn't this live in the security group?
Given that there's a public paper and CVE with details? Not sure.
So in particular, you're not changing the paranoid sinks to screen URI attributes?
Judging from this in comment 0, I think that's what's happening here: > In this case, we will analyse an example of a vulnerable extension which trusts > the nsIScriptableUnescapeHTML parsing function to filter untrusted content > which is rendered in a Chrome privileged window
Yeah, then we should do what I suggest in comment 6, I think.
Hi all, Has this bug being fixed? Please see announcement below: http://www.mozilla.org/security/announce/2011/mfsa2011-08.html Also, I cannot access https://bugzilla.mozilla.org/show_bug.cgi?id=562547 which is linked in that announcement so I am not sure what the fix relates to. Also, I am not a Mozilla Security Developer, as reported in that link :-). Thanks, Roberto Suggi Liverani
> Has this bug being fixed? I'm not sure. Daniel, is this the same issue as bug 562547? > Also, I am not a Mozilla Security Developer, as reported in that link :-). You're not, but the person who reported bug 562547 (about a month before you reported this bug) is.
Hi Boris, Thanks for your input. Just to clarify a bit what happened from my side: - 28th April 2010 - This bug was originally released within this whitepaper - http://www.security-assessment.com/files/whitepapers/Cross_Context_Scripting_with_Firefox.pdf - 28th April 2010 - NIST has created a CVE entry (CVE-2010-1585) for the bug reported on the white paper. The same CVE ID is referred in the Mozilla announcement: http://www.mozilla.org/security/announce/2011/mfsa2011-08.html - 26th May 2010 - Filed this bug in bugzilla. Cheers, Roberto
Ah, I see. Daniel reported bug 562547 based on the CVE. So yes, this is fixed. I'll mail Daniel about the mis-attribution. Thanks for bringing this up!
Oh, and you should have access to bug 562547 now.
Oh, it's attributed correctly. Just the description of who you are is wrong. OK, then! Still mailing Daniel. ;)
And my apologies for not reading more carefully!
Hi Boris, No worries for that ;-). Since this issue has been resolved, is it possible to have have that link http://www.mozilla.org/security/announce/2011/mfsa2011-08.html rectified? Or should I contact someone in particular to get the page rectified? Instead of Mozilla Security Developer -> Security Consultant for Security-Assessment.com ;-) Cheers, Roberto
Roberto, I did mail Daniel Veditz about that. I _think_ he's the right contact for that... If nothing there changes in a few days, please ping me again?