Code example "showModalDialogBox" vulnerable to XSS with certain input

RESOLVED DUPLICATE of bug 827398

Status

developer.mozilla.org
Security
RESOLVED DUPLICATE of bug 827398
6 years ago
2 years ago

People

(Reporter: openjck, Unassigned)

Tracking

Details

(Whiteboard: [site:developer.mozilla.org])

(Reporter)

Description

6 years ago
Quoting :curtisk from bug 769757.

> http://developer.mozilla.org/samples/domref/showModalDialogBox.html
> Vuln Code:
>
> <script>
> document.write("Modal dialog got argument: " + window.dialogArguments);
> </script>
>
> The page get arguments using "window.dialogArguments" and write it to the
> Page without HtmlEncoding.
> fix: use escape function \ other html encoding mechanism.
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 827398
Whiteboard: [site:developer.mozilla.org]
For bugs that are resolved, we remove the security flag. These haven't had their flag removed, so I'm removing it now.
Group: websites-security
You need to log in before you can comment on or make changes to this bug.