Closed Bug 728093 Opened 9 years ago Closed 4 years ago

Error console loads any string result of evaluation as privileged HTML

Categories

(Toolkit Graveyard :: Error Console, defect)

x86
macOS
defect
Not set
normal

Tracking

(Not tracked)

RESOLVED INVALID

People

(Reporter: pauljt, Unassigned)

Details

As part trying to find a safe way to parse untrusted strings for Bug 714733, Florian Queze noticed that running the following script results in script execution:

(new DOMParser()).parseFromString("<html><img src=http://localhost/logthis onerror=alert('ohai')></img>", "text/html").documentElement.innerHTML

If you execute the line above in error console, the alert fires. In a web page, it does not.

According to Florian, the script seems to be evaluated when calling the innerHTML getter. Note that the URL http://localhost/logthis is also requested.

Not sure if this is intended behavior or not, but raising a bug after asking the question on #developers.
The Error Console executes the script, rather than the DOM Parser. You can easily see this by evaluating "<html><img src=http://localhost/logthis onerror=alert('ohai')></img>" directly.
No longer blocks: 102699
The error console evaluates script like so:

121     gEvaluator.contentWindow.location = "javascript: " +
122                                         gCodeToEvaluate.replace(/%/g, "%25");

What that means is that not only will the code be run, but the return value of the code, if any, will be converted to a string, then parsed as HTML in a chrome context.

That seems bad.  Is there a reason this code is not tossing a "; void(0);" on the end there?
Group: core-security
Component: DOM: Mozilla Extensions → Error Console
Product: Core → Toolkit
QA Contact: general → error.console
Summary: Calling .innerHTML on the result of DOMParser.parseFromString() can cause script execution → Error console loads any string result of evaluation as privileged HTML
Oh, and parsing untrusted strings with DOMParser should in fact be safe.
(In reply to Boris Zbarsky (:bz) from comment #2)
> That seems bad.  Is there a reason this code is not tossing a "; void(0);"
> on the end there?

The code depends on the result being written to the DOM to display the return value of the evaluated JS (see loadOrDisplayResult()).
Why is the error console using innerHTML instead of just setting the text content of a DOM node, thus avoiding evaluating any scripts etc?
This is not a security vulnerability -- either users are doing this to themselves or they've foolishly pasted something malicious. Since the error console is chrome privileged you already lose in that case.
Group: core-security
As above, invalid. Also noted that the original reported behavior is no longer observed.
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → INVALID
Product: Toolkit → Toolkit Graveyard
You need to log in before you can comment on or make changes to this bug.