Closed Bug 728093 Opened 9 years ago Closed 4 years ago
Error console loads any string result of evaluation as privileged HTML
As part trying to find a safe way to parse untrusted strings for Bug 714733, Florian Queze noticed that running the following script results in script execution: (new DOMParser()).parseFromString("<html><img src=http://localhost/logthis onerror=alert('ohai')></img>", "text/html").documentElement.innerHTML If you execute the line above in error console, the alert fires. In a web page, it does not. According to Florian, the script seems to be evaluated when calling the innerHTML getter. Note that the URL http://localhost/logthis is also requested. Not sure if this is intended behavior or not, but raising a bug after asking the question on #developers.
The Error Console executes the script, rather than the DOM Parser. You can easily see this by evaluating "<html><img src=http://localhost/logthis onerror=alert('ohai')></img>" directly.
Component: DOM: Mozilla Extensions → Error Console
Product: Core → Toolkit
QA Contact: general → error.console
Summary: Calling .innerHTML on the result of DOMParser.parseFromString() can cause script execution → Error console loads any string result of evaluation as privileged HTML
Oh, and parsing untrusted strings with DOMParser should in fact be safe.
(In reply to Boris Zbarsky (:bz) from comment #2) > That seems bad. Is there a reason this code is not tossing a "; void(0);" > on the end there? The code depends on the result being written to the DOM to display the return value of the evaluated JS (see loadOrDisplayResult()).
Why is the error console using innerHTML instead of just setting the text content of a DOM node, thus avoiding evaluating any scripts etc?
This is not a security vulnerability -- either users are doing this to themselves or they've foolishly pasted something malicious. Since the error console is chrome privileged you already lose in that case.
As above, invalid. Also noted that the original reported behavior is no longer observed.
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → INVALID
Product: Toolkit → Toolkit Graveyard
You need to log in before you can comment on or make changes to this bug.