Failure to escape HTML in summary of logged failures

VERIFIED FIXED

Status

Tree Management Graveyard
TBPL
--
major
VERIFIED FIXED
6 years ago
3 years ago

People

(Reporter: philor, Unassigned)

Tracking

Details

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
https://tbpl.mozilla.org/?tree=Mozilla-Inbound&onlyunstarred=1&noignore=1&jobname=rev4&rev=ff1d493bf113 has a lot to love, but in this case, STR:

1. Click the orange oth
2. Wait quite a while for the summary popup listing the failures to appear
3. Snicker at the way we actually stick several <menuitem> elements into the HTML of the page, indenting successive failures in test_tmpl_menuelementrecursive.xul in a recursive menuelement sort of way.
4. Decide that just because someone puts some random text in a test error message that happens to have a "<" in it doesn't mean tbpl should treat it as HTML.
5. Think about someone testing XSS, and putting the text of their XSS into the message. Stop snickering.
Created attachment 567421 [details] [diff] [review]
v1
Attachment #567421 - Flags: review?(arpad.borsos)
Attachment #567421 - Flags: review?(arpad.borsos) → review+
http://hg.mozilla.org/users/mstange_themasta.com/tinderboxpushlog/rev/811e1611dec1
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
This is going into production when bug 697174 is done.
(Reporter)

Updated

6 years ago
Status: RESOLVED → VERIFIED
(Reporter)

Updated

6 years ago
Depends on: 712212
(Assignee)

Updated

3 years ago
Product: Webtools → Tree Management
(Assignee)

Updated

3 years ago
Product: Tree Management → Tree Management Graveyard
You need to log in before you can comment on or make changes to this bug.