Closed
Bug 809247
Opened 12 years ago
Closed 12 years ago
[Contacts] HTML in first and last names are not escaped in the contact list
Categories
(Firefox OS Graveyard :: Gaia, defect)
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 808946
People
(Reporter: MattN, Unassigned)
Details
(Keywords: b2g-testdriver, Whiteboard: [sg:dupe 808946])
Attachments
(1 file)
|
30.62 KB,
image/png
|
Details |
Screenshot of <input>s with inline styles in the name fields
STR: 1) Type HTML in the first and last name fields of a contact 2) Click update 3) View the contact in the contact listing Actual results: HTML is rendered because it is not escaped Expected results: HTML is escaped With support for importing vcard files (.vcf) or from services like Facebook there is potential to exploit this without physical access to the device.
|
Reporter | |
Updated•12 years ago
|
Summary: [Contacts] HTML in first and last names are not escaped the contact list → [Contacts] HTML in first and last names are not escaped in the contact list
|
||
Comment 1•12 years ago
|
||
MattN, is this a dupe of bug 808946?
|
|
Reporter | |
Comment 2•12 years ago
|
||
Yes
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
|
||
Updated•12 years ago
|
Whiteboard: [sg:dupe 808946]
|
|
||
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•