Closed Bug 832930 Opened 13 years ago Closed 10 years ago

Tracking: Favor use of createElement and textContent instead of innerHTML in Gaia

Categories

(Firefox OS Graveyard :: Gaia, defect)

Product:
Firefox OS Graveyard
Component:
Gaia
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: freddy, Unassigned)

Details

The use of innerHTML in many Gaia apps presents the possibility of these apps being susceptible to XSS. During our ongoing security reviews, we are making sure that none of them are. But in order to make these reviews more efficiently code could be rewritten to simply state that certain HTML operations are safe indeed. I would like to investigate how some code changes and rewrites can be handled automatically by diving into Static Code Analysis and implementing the low hanging fruits (at least!). It looks like there has been some investments into SCA by mozilla already ( cf. https://brendaneich.com/2010/08/static-analysis-ftw/), which could make things easier.
Component: Security Assurance: Applications → Gaia
Product: mozilla.org → Boot2Gecko
Version: other → unspecified
Thank you for filing the bug. Besides comment 0, if we could establish a common pattern for replacing these innerHTMLs, we could then file bugs against the apps and rewrite them manually.
We went with a different approach and disallow innerHTML unless using a fine escaper. See bug 1211384 for more.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.