Closed Bug 858507 Opened 11 years ago Closed 11 years ago

escapeHTML in the profilers tree.js file does not really escape HTML

Categories

(DevTools :: Performance Tools (Profiler/Timeline), defect)

Product:
DevTools
Component:
Performance Tools (Profiler/Timeline)
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 873966

People

(Reporter: freddy, Assigned: anton)

References

Details

(Keywords: sec-low) 

It looks like the escapeHTML function was created to prevent harmful HTML injection into chrome code, but the function does not really escape HTML.

This is probably due to its prototype coming from HTML where 
> var escape = document.createElement('textarea');
creates a HTML element.
In the profiler, this should however create a XUL element.
The code should instead say:
> var escape = document.createElementNS("http://www.w3.org/1999/xhtml","textarea");

Also, the escapeHTML function should return the .value property instead of .innerHTML, shouldn't it?
Okay, I was wrong about the scope being XUL and that you need a different createElement call, but that doesn't affect what I pointed out in the very last sentence: escapeHTML does not really escape HTML.
This bug is not exploitable because the location of a script file is URL encoded.
That means, basically, that we are not-vulnerable by accident. I actually think the interface should have pretty and human-readable URLs.

tl;dr: please fix escapeHTML to use .value :)
Keywords: sec-moderatesec-low
Assignee: nobody → anton
Status: NEW → ASSIGNED
Blocks: CVE-2013-1688
Closing this as a dup of bug 873966.
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
Group: core-security
Product: Firefox → DevTools
You need to log in before you can comment on or make changes to this bug.