Closed Bug 919357 Opened 6 years ago Closed 6 years ago
Needinfo extension does not escape user names
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0 (Beta/Release) Build ID: 20130917102605 Steps to reproduce: 1) Visit https://bugzilla.mozilla.org/show_bug.cgi?id=469018 2) Towards the bottom of the page, change the needinfo to the assignee Actual results: Displays 'Simon Green' Expected results: Displays 'Simon Green <firstname.lastname@example.org>'
Assignee: nobody → simon
Severity: normal → critical
Status: NEW → ASSIGNED
Depends on: 917483
Committing to: bzr+ssh://email@example.com/bmo/4.2/ modified extensions/Needinfo/template/en/default/bug/needinfo.html.tmpl Committed revision 9029.
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
How can we make this less likely to happen in the future? Have and use a combined htmljs filter? Get some lint thing to specifically check for both html and js escaping between <script> tags? Gerv
Given the user interaction required I find it hard to rate this as sec-critical. Your best bet at pulling this off as an attack is to file a concerning but incomplete bug against your potential victim and hope they needinfo? the reporter rather than just ask in a comment. And do so without having initially noticed that your user name at the top of the bug report included "<script src=attack.js>" or whatever.
You need to log in before you can comment on or make changes to this bug.