If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Output Encode Searches to Prevent XSS

VERIFIED FIXED

Status

Websites
Other
--
major
VERIFIED FIXED
7 years ago
4 years ago

People

(Reporter: mcoates, Unassigned)

Tracking

({wsec-xss})

Details

(Whiteboard: [infrasec:xss], URL)

Issue

The search values are returned to the page without proper output encoding. As a result it is possible for an attacker to insert html or JavaScript that could result in modification to the page or redirecting the user to a third party site.

Steps to reproduce
1. Browse to the following url:
http://firefoxtweetmachine.com/#%3Chr%3Efirefox
2. Wait for the tan search bubble to appear that will say "Showing results for "
3. Observe that the <hr> tag has been rendered
4. Stop the bubble movement by clicking the right lever.
5. Inspect the search element with firebug and observe that the search query was not properly output encoded:
<h1>Showing results for</h1>  	<p>"</p><hr>firefox"

Recommended Remediation
Perform html entity output encoding on the search value when it is returned to the page.

Comment 1

7 years ago
Search queries are now escaped.
Has this fix been pushed live? I just tested it and the issue is still present.

When I enter the search of:
<hr>firefox

the response listed within the twitter bubble message should literally say:
<hr>firefox

Currently the entered html is being evaluated and I see a line and then the word firefox.

The solution is to output encode the value entered by the user. So the actual html would be this:
&lt;hr&gt;firefox

and the user would see 
<hr>firefox

on the webpage.

Comment 3

7 years ago
Hello, we've deployed the latest version, everything should be fixed now.
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
Verified.
Status: RESOLVED → VERIFIED
Group: websites-security
Adding keywords to bugs for metrics, no action required.  Sorry about bugmail spam.
Keywords: wsec-xss
You need to log in before you can comment on or make changes to this bug.