Closed
Bug 941562
Opened 11 years ago
Closed 11 years ago
Make the encoding of documents that declare HZ unoverridable
Categories
(Core :: DOM: HTML Parser, defect)
Core
DOM: HTML Parser
Tracking
()
RESOLVED
FIXED
mozilla28
People
(Reporter: hsivonen, Assigned: hsivonen)
References
Details
Attachments
(1 file)
|
6.60 KB,
patch
|
emk
:
review+
|
Details | Diff | Splinter Review |
When a document is encoded in HZ, interpreting it according to another encoding is an XSS hazard. The patch for bug 863728 adds infrastructure that makes it possible to make non-UTF-16 documents ignored the character encoding menu. We should make HZ documents ignore it in order to defend against socially engineered XSS.
|
Assignee | |
Comment 1•11 years ago
|
||
|
|
Assignee | |
Comment 2•11 years ago
|
||
|
|
Assignee | |
Comment 3•11 years ago
|
||
Comment on attachment 8336003 [details] [diff] [review]
One-line fix & copy-paste test
As a side effect, this also makes HZ not inherit into iframes, which is also desirable in the light of its XSS characteristics.
Attachment #8336003 -
Flags: review?(VYV03354)
|
||
Comment 4•11 years ago
|
||
Comment on attachment 8336003 [details] [diff] [review]
One-line fix & copy-paste test
Let's see what's going on.
Attachment #8336003 -
Flags: review?(VYV03354) → review+
|
|
Assignee | |
Comment 5•11 years ago
|
||
Thank you. Landed:
https://hg.mozilla.org/integration/mozilla-inbound/rev/5570fe44ba0e
|
||
Comment 6•11 years ago
|
||
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla28
You need to log in
before you can comment on or make changes to this bug.
Description
•