Opened 8 years ago

Closed 8 years ago

Last modified 16 months ago

#2780 closed defect (fixed)

Investigate Torbutton translation input validation issue

Reported by: mikeperry Owned by: mikeperry
Priority: Immediate Milestone:
Component: Applications/Torbutton Version:
Severity: Normal Keywords: TorbuttonIterationFires20110320 MikePerryIterationFires20110320
Cc: Actual Points: 2
Parent ID: Points: 2
Reviewer: Sponsor:

Description

We had a random anonymous person show up on IRC who pointed out that Transifex was not filtering their input for XSS or other attacks. While this is bad for our website, it is potentially even worse for Torbutton. XUL XSS means arbitrary code execution.

I spoke with Dan Veditz and he both half-chastised me for trusting this input, and also explained the history Mozilla went through before they managed to make Personas safe to deploy. DTD elements can carry arbitrary XUL elements. Properties are much less risky unless you use them as .innerHTML in DOM manipulations.

I also tried to see if I could "break out" of a DTD element used inside an attribute by closing the quote and injecting a script attribute. I could not.

I believe this means that only two of our DTD elements should actually be vulnerable to this.

Child Tickets

Change History (2)

comment:1 Changed 8 years ago by mikeperry

Actual Points: 2
Resolution: fixed
Status: newclosed

Runa worked on a validation script that is better than nothing. I'm going to close this, and if the output of that script annoys me enough, I'll open a new ticket for improving it.

comment:2 Changed 16 months ago by teor

Severity: Normal

Set all tickets without a severity to "Normal"

Note: See TracTickets for help on using tickets.