The parameters of the "new" activity are not properly validated. There are two: id and extras. Both of these are copied from the activity to the page request parameters and then used later. I don't think you can do anything evil with the id parameter but it looks like the "extras" entries are blindly copied to a contact template. This is where the params are copied: https://github.com/mozilla-b2g/gaia/blob/v1-train/apps/communications/contacts/js/activities.js#L32 And this is where they are used: https://github.com/mozilla-b2g/gaia/blob/v1-train/apps/communications/contacts/js/contacts.js#L79
Are blindly copied, by escaped when displaying. When you said something evil you meant scripts injection or something I'm missing? Thanks!
Alberto, I don't know. I did not find any documentation on what parameters the activity accepts nor did I find a list in the code to limit what it accepts. I just think something needs to look at this to make sure no surprises can happen.
Makes sense to check with more care those parameters. I'll do that and avoiding 'new' becoming an 'update' activity. Thanks for the review!
blocking-b2g: --- → backlog
blocking-b2g: backlog → ---
tracking-b2g: --- → backlog
Priority: -- → P4
Firefox OS is not being worked on
Status: NEW → RESOLVED
Last Resolved: 4 months ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.