Closed
Bug 1498566
Opened 6 years ago
Closed 6 years ago
Remove new Function from dialog.xml
Categories
(Core :: DOM: Security, enhancement, P3)
Core
DOM: Security
Tracking
()
RESOLVED
FIXED
mozilla68
Tracking | Status | |
---|---|---|
firefox68 | --- | fixed |
People
(Reporter: vinoth, Assigned: jallmann)
References
(Blocks 1 open bug)
Details
(Keywords: dev-doc-complete, Whiteboard: [domsecurity-backlog1])
Attachments
(2 files)
Eval(), new Function() should never execute with system principal.It is being removed everywhere from our codebase as part of Bug 1473549.
The affected code which should be rewritten,
https://dxr.mozilla.org/mozilla-central/rev/c291143e24019097d087f9307e59b49facaf90cb/toolkit/content/widgets/dialog.xml#418
Reporter | ||
Updated•6 years ago
|
Component: XUL Widgets → DOM: Security
Product: Toolkit → Core
Updated•6 years ago
|
Whiteboard: [domsecurity-backlog1]
Reporter | ||
Updated•6 years ago
|
Assignee: nobody → cegvinoth
Status: NEW → ASSIGNED
Reporter | ||
Comment 1•6 years ago
|
||
Reporter | ||
Comment 2•6 years ago
|
||
In order to clarify the things I will summarize the changes required for this bug,
In order to remove the usage of new Function from dialog.xml[1], we need to remove the usage of attributes[2] ondialogaccept, ondialogcancel, ondialogdisclosure, ondialogextra1, ondialogextra2 and ondialoghelp from all the places within our codebase. Please correct me if I got something wrong about this approach.
[1] - https://dxr.mozilla.org/mozilla-central/rev/c291143e24019097d087f9307e59b49facaf90cb/toolkit/content/widgets/dialog.xml#418
[2] - https://developer.mozilla.org/en-US/docs/Mozilla/Tech/XUL/dialog#Attributes
Flags: needinfo?(gijskruitbosch+bugs)
Comment 3•6 years ago
|
||
(In reply to Vinothkumar Nagasayanan [:vinoth] from comment #2)
> In order to clarify the things I will summarize the changes required for
> this bug,
>
> In order to remove the usage of new Function from dialog.xml[1], we need to
> remove the usage of attributes[2] ondialogaccept, ondialogcancel,
> ondialogdisclosure, ondialogextra1, ondialogextra2 and ondialoghelp from all
> the places within our codebase. Please correct me if I got something wrong
> about this approach.
Yep, this seems fine; we'll need to use custom events to do the same thing that the attributes do today.
Flags: needinfo?(gijskruitbosch+bugs)
Reporter | ||
Updated•6 years ago
|
Assignee: cegvinoth → nobody
Status: ASSIGNED → NEW
Assignee | ||
Updated•6 years ago
|
Assignee: nobody → jallmann
Assignee | ||
Updated•6 years ago
|
Status: NEW → ASSIGNED
Assignee | ||
Comment 4•6 years ago
|
||
Remove the now obsolete event handling code including new Funcition
. Remove dialog.xml from eval() whitelist.
Assignee | ||
Updated•6 years ago
|
Keywords: checkin-needed
Assignee | ||
Comment 5•6 years ago
|
||
Dev-Docs for the dialog XUL-Element need to be updated as a result of this bug.
https://developer.mozilla.org/en-US/docs/Mozilla/Tech/XUL/dialog#Attributes
The attributes ondialogaccept, ondialogcancel, ondialogdisclosure, ondialogextra1, ondialogextra2, ondialoghelp
won't be supported anymore and should be removed from the docs. Using JS-eventHandlers is recommended instead.
Keywords: dev-doc-needed
Pushed by dluca@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/4c124c1db332
Remove custom event handling code from dialog.xml, r=Gijs
Keywords: checkin-needed
Comment 7•6 years ago
|
||
bugherder |
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
status-firefox68:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla68
Comment 8•6 years ago
|
||
attributes removed from docs as instructed.
Keywords: dev-doc-needed → dev-doc-complete
You need to log in
before you can comment on or make changes to this bug.
Description
•