Open Bug 960307 Opened 12 years ago Updated 3 years ago

Html injection with bookmark copy/paste.

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Type:
defect

Tracking

()

People

(Reporter: azatom, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 6.3; rv:26.0) Gecko/20100101 Firefox/26.0 (Beta/Release) Build ID: 20131205075310 Steps to reproduce: 1. Create a new bookmark (in bookmarks menu right click/New bookmark...) with location: javascript:(function(){alert('">name<"')})() 2. In the bookmarks menu on the new bookmark right click/copy. 3. Paste to any html area/rich editor in any program, like email editor, or just a html page after setting in the web console the document.body.contentEditable=true. Actual results: The appeared text is: name<"')})()">New Bookmark Expected results: The appeared text should be: New Bookmark
My investigation: (I tried with bookmarks folder with the same result. If I typed not bookmarklet, but the location beginning with http, it escaped the apostrophes, but I think with other methods of creating bookmark can left unescaped apostrophes. I tried it in windows with other programs like chrome too.) I viewed the windows clipboard with nirsoft's InsideClipboard program. I've saw lots of formats of the copied bookmarks, like plain text, json format, and the html bookmark format. The later was: ...(skipped some text).. <html><body> <!--StartFragment--><A HREF="javascript:(function(){alert('">name<"')})()">New Bookmark</A> <!--EndFragment--> </body> </html> There is clearly NOT (proper) escaping.
Not relevant, but my intentions discovering this bug was html exporting (only one) bookmarks folder. If I export to html with the 'Library', it escapes correctly.
Status: UNCONFIRMED → NEW
Component: Untriaged → Serializers
Ever confirmed: true
OS: Windows 8.1 → All
Product: Firefox → Core
Version: 26 Branch → Trunk
Sorry
Status: NEW → UNCONFIRMED
Component: Serializers → Untriaged
Ever confirmed: false
Product: Core → Firefox
I think there is no injection. Firefox removes the relevant parts of the function to protect you.
Component: Untriaged → Security
Hardware: x86 → All
(In reply to sjw from comment #4) > I think there is no injection. Firefox removes the relevant parts of the > function to protect you. I do not define but injection means something like one parser parses a string what originally was targeted to another parser, commonly happens this by improper escaping. This happens now. I do not know what you mean by "Firefox removes..". Firefox CAN NOT do anything, generates a WRONG html code as in "comment 1" (without escaping, urlencode or whatever a href). AFTER that, other programs can access that clipboard. That href part and the "New bookmark" (displayed html) text targeted different parsers and eventually the GoogleChromeBrowser (or anything what gets the clipboard) parsed the href part as html. The bug is clearly on the clipboard's html format what is generated by firefox. (Other formats like json and plaintext are OK). I do not mean any serious security flaw by this injection, had not tried any more complicate examples. But since it prevented my intentions, is a bug. Maybe you meant by removing the part before the "name...", but the 'name<"\')})()' already was the part of the href. I think that part with some work can be a real html code instead of this visual junk, but that's not the point. The visual injection to my eye already happend :) (Chrome pasted not the names of the bookmars but the contents'.) In the current example Firefox (or Chrome or any other program what firefox can't handle) had not run any code, but it surely can happen. Even if bookmarklets are "obsolated", Firefox should not generate wrong html by coping a bookmark, and I think it can happen with not only bookmarklets.
Maybe the summary should be "Unescaped html part of clipboard on copying bookmark"?
Status: UNCONFIRMED → NEW
Ever confirmed: true
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.