Closed Bug 1498569 Opened 6 years ago Closed 6 years ago

Remove new Function from wizard.xml

Categories

(Core :: DOM: Security, enhancement, P3)

Product:
Core
Component:
DOM: Security
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla68
Tracking Flags:
Tracking Status
firefox68 --- fixed

People

(Reporter: vinoth, Assigned: jallmann)

References

(Blocks 1 open bug)

Details

(Keywords: dev-doc-complete, Whiteboard: [domsecurity-backlog1])

Attachments

(2 files)

Bug 1498569 - Replaced new Function in wizard.xml using loadsubscript
(deleted), text/x-phabricator-request
Details
Bug 1498569, Replace wizard.xml attributes with event listeners, r=gijs
(deleted), text/x-phabricator-request
Details
Eval(), new Function() should never execute with system principal.It is being removed everywhere from our codebase as part of Bug 1473549. The affected code which should be rewritten, https://dxr.mozilla.org/mozilla-central/rev/c291143e24019097d087f9307e59b49facaf90cb/toolkit/content/widgets/wizard.xml#422
Component: General → DOM: Security
Product: Toolkit → Core
Whiteboard: [domsecurity-backlog1]
Assignee: nobody → cegvinoth
Status: NEW → ASSIGNED
Assignee: cegvinoth → nobody
Status: ASSIGNED → NEW

I have a question that also applies to Bug 1498566.
After replacing all onwizard*-attributes in the codebase by proper event handlers, can I just remove this block of code

https://searchfox.org/mozilla-central/source/toolkit/content/widgets/wizard.xml#419

entirely without replacement? And if yes, am I right that this documentation

https://developer.mozilla.org/en-US/docs/Mozilla/Tech/XUL/wizard

would have to be adapted, because the attributes wont work anymore?

Flags: needinfo?(gijskruitbosch+bugs)

(In reply to Jonas Allmann [:jallmann] from comment #2)

I have a question that also applies to Bug 1498566.
After replacing all onwizard*-attributes in the codebase by proper event handlers, can I just remove this block of code

https://searchfox.org/mozilla-central/source/toolkit/content/widgets/wizard.xml#419

entirely without replacement? And if yes, am I right that this documentation

https://developer.mozilla.org/en-US/docs/Mozilla/Tech/XUL/wizard

would have to be adapted, because the attributes wont work anymore?

Yes for both of these. :-)

Flags: needinfo?(gijskruitbosch+bugs)
Assignee: nobody → jallmann
  • Removed all occurences of custom onwizard* attributes.
  • Removed custom handler code from wizard.xml.
  • Updated eval()-usage whitelist.
Status: NEW → ASSIGNED

Dev-docs need to be updated as a consequence of this Bug.

https://developer.mozilla.org/en-US/docs/Mozilla/Tech/XUL/wizard

The attributes onextra1, onextra2, onwizardback, onwizardcancel, onwizardfinish, onwizardnext for the XUL-Element wizard are no longer supported. Using custom event handlers in the script code is recommended instead.

https://developer.mozilla.org/en-US/docs/Mozilla/Tech/XUL/wizardpage

The attributes onpageadvanced, onpagehide, onpagerewound, onpageshow for the wizardpage Element are no longer supported either.

Keywords: dev-doc-needed

This Bug is ready to land, could you do that for me, ckerschb?

Flags: needinfo?(ckerschb)

I've triggered lando for you. In future, you can also set the 'checkin-needed' keyword on the bug.

Flags: needinfo?(ckerschb)
Pushed by gijskruitbosch@gmail.com: https://hg.mozilla.org/integration/autoland/rev/156372e0b165 Replace wizard.xml attributes with event listeners, r=Gijs

https://hg.mozilla.org/mozilla-central/rev/156372e0b165

Status: ASSIGNED → RESOLVED
Closed: 6 years ago
status-firefox68: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla68
Depends on: 1541136
Regressions: 1542844
No longer regressions: 1542844

docs deleted as requested

Keywords: dev-doc-neededdev-doc-complete
Regressions: 1544277
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: