Closed Bug 741874 Opened 12 years ago Closed 12 years ago

[Security Review][Action Item]WebSMS - gaia code review

Categories

(mozilla.org :: Security Assurance, task)

Product:
mozilla.org
Component:
Security Assurance
Platform:
x86
macOS
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 754746

People

(Reporter: curtisk, Assigned: pauljt)

References

(
URL
)

Details

(Whiteboard: [start 04/18/2012][target 05/02/2012]) 

Look at Gaia code - ensure dialer and sms can't be opened in an iframe maybe? Comes back to permissions model of B2G - gaia sms app author is vingtetun on IRC
Whiteboard: [start 04/18/2012][target 05/02/2012]
Started gaia testing, note that some of the b2g features are not finished yet (for example window.open and window.prototype dont behave properly for mozbrowser).

Also a lot depends on the permission model which isnt finalised yet. This may delay this review, just FYI.
Initial review complete, code still under development though.

Only real issue so far is the approach to sanitizing untrusted HTML. Current approach uses an ad hoc function:

function escapeHTML(str, escapeQuotes) {
  var span = document.createElement('span');
  span.textContent = str;

  if (escapeQuotes)
    return span.innerHTML.replace(/"/g, '"').replace(/'/g, ''');
  return span.innerHTML;
}

Seems OK at first glance, but I can see this being error prone (for example, this will not help for any dynamically generated script content. Maybe this can be mitigated with content security policy.

Maybe just change adding a helper function might improve things, but its seems like something that could be leverage from elsewhere. e.g:

function escapeQuotedAttribute(str){
  return escapeHTML(str,true);
}
Another potential misuse case escapeHTML(str, true) will only work when escaping a single quoted attribute. If used for a list of attributes or similar this would be a risk.

It would be better to come up with a specific library used across gaia apps to escape untrusted content. Maybe something already exists that can be used for this purpose.
Closing this bug to merge it with the other gaia code review bugs
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.