User Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 14_4_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.3 Mobile/15E148 Safari/604.1

Steps to reproduce:

When a tab is dragged and dropped on the bookmark bar, input should be sanitized and/or checked for malicious commands. Maybe malicious JavaScript or other programming languages could be injected into the web browser if a web link with encoded malicious JavaScript is added to “Name”, “url”, “comments”, etc. input boxes. Some one could put a url with malicious code in the name field.

If a bookmark file contains malicious programming code, when the bookmark file is imported into Firefox maybe the web browser could be infected.

Actual results:

Firefox could get infected via malicious bookmark data.

Expected results:

Bookmark input should be sanitized. Any programming code in bookmark data should be removed.

Applies to Firefox on Windows, Linux, MacOS

These are known as "Bookmarklets" and they are an intentional feature for power-users. Power-users also tend to be the ones saving and importing bookmarks and they wouldn't be happy if we nerfed their bookmarklets. At best I could see a prompt warning that bookmarklets are present and asking if they should be filtered out, with a "remember this choice" checkbox for the power-users who won't want to see it again.

We have done a bunch of things to add friction to abuses we've seen against users relating to javascript: urls: originally just stripping out the scheme when pasted, and now making those not work at all even when entered by typing into the address bar. We've also disabled pasting by default in the browser console because the address bar attacks moved there when they stopped working. We haven't seen the attacks migrate to convincing people to import bookmarks files. The mechanics would work, but it's such an odd thing to ask someone to do that they either haven't tried or the success rate was too low to bother.

This is a long-standing public bug, bug 371923.