Opened 10 years ago

Closed 10 years ago

Last modified 3 years ago

#2780 closed defect (fixed)

Investigate Torbutton translation input validation issue

Reported by: mikeperry Owned by: mikeperry
Priority: Immediate Milestone:
Component: Applications/Torbutton Version:
Severity: Normal Keywords: TorbuttonIterationFires20110320 MikePerryIterationFires20110320
Cc: Actual Points: 2
Parent ID: Points: 2
Reviewer: Sponsor:


We had a random anonymous person show up on IRC who pointed out that Transifex was not filtering their input for XSS or other attacks. While this is bad for our website, it is potentially even worse for Torbutton. XUL XSS means arbitrary code execution.

I spoke with Dan Veditz and he both half-chastised me for trusting this input, and also explained the history Mozilla went through before they managed to make Personas safe to deploy. DTD elements can carry arbitrary XUL elements. Properties are much less risky unless you use them as .innerHTML in DOM manipulations.

I also tried to see if I could "break out" of a DTD element used inside an attribute by closing the quote and injecting a script attribute. I could not.

I believe this means that only two of our DTD elements should actually be vulnerable to this.

Child Tickets

Change History (2)

comment:1 Changed 10 years ago by mikeperry

Actual Points: 2
Resolution: fixed
Status: newclosed

Runa worked on a validation script that is better than nothing. I'm going to close this, and if the output of that script annoys me enough, I'll open a new ticket for improving it.

comment:2 Changed 3 years ago by teor

Severity: Normal

Set all tickets without a severity to "Normal"

Note: See TracTickets for help on using tickets.