Closed
Bug 350830
Opened 18 years ago
Closed 18 years ago
Remove x-u-escape encoder/decoder
Categories
(Core :: Internationalization, defect)
Core
Internationalization
Tracking
()
RESOLVED
FIXED
People
(Reporter: smontagu, Assigned: smontagu)
References
Details
(Keywords: verified1.8.0.12, verified1.8.1.4, Whiteboard: [sg:want] XSS risk for sites)
Attachments
(2 files)
(deleted),
text/html; charset=x-u-escaped
|
Details | |
(deleted),
patch
|
jshin1987
:
review+
dveditz
:
superreview+
dveditz
:
approval1.8.1.4+
dveditz
:
approval1.8.0.12+
|
Details | Diff | Splinter Review |
I'm not sure why we even have an x-u-escape decoder and encoder. As far as I know it's not used in web pages. http://www.mozilla.org/projects/l10n/mlp_tools.html mentions that it can be used with stand alone nsconv to convert properties and javascript files, but there are other tools that can do that.
There is also a possible XSS vulnerablity, which I will attach a testcase for instanter.
Assignee | ||
Comment 1•18 years ago
|
||
Assignee | ||
Comment 2•18 years ago
|
||
If we retain the decoder, we could perhaps eliminate the ASCII-spoofing vulnerability by only allowing u-escaped characters outside the ASCII range.
Assignee | ||
Comment 3•18 years ago
|
||
Attachment #236836 -
Flags: superreview?(dveditz)
Attachment #236836 -
Flags: review?(jshin1987)
Comment 4•18 years ago
|
||
Comment on attachment 236836 [details] [diff] [review]
Remove it
r=jshin
Yes, I'm all for removing it.
Attachment #236836 -
Flags: review?(jshin1987) → review+
Comment 5•18 years ago
|
||
Comment on attachment 236836 [details] [diff] [review]
Remove it
sr=dveditz
Attachment #236836 -
Flags: superreview?(dveditz) → superreview+
Assignee | ||
Comment 6•18 years ago
|
||
Checked in.
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Updated•18 years ago
|
Attachment #236211 -
Attachment mime type: text/html → text/html; charset=x-u-escaped
Updated•18 years ago
|
Whiteboard: [sg:want] XSS risk for sites
Comment 7•18 years ago
|
||
Should be able to remove this on the 1.8 branch without affecting anyone, right?
Flags: blocking1.8.1.4?
Flags: blocking1.8.0.12?
Assignee | ||
Comment 8•18 years ago
|
||
Right, it shouldn't be a problem.
Updated•18 years ago
|
Flags: blocking1.8.1.4?
Flags: blocking1.8.1.4+
Flags: blocking1.8.0.12?
Flags: blocking1.8.0.12+
Assignee | ||
Updated•18 years ago
|
Attachment #236836 -
Flags: approval1.8.1.4?
Attachment #236836 -
Flags: approval1.8.0.12?
Updated•18 years ago
|
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Comment 9•18 years ago
|
||
Comment on attachment 236836 [details] [diff] [review]
Remove it
approved for 1.8.0.12 and 1.8.1.4, a=dveditz
Attachment #236836 -
Flags: approval1.8.1.4?
Attachment #236836 -
Flags: approval1.8.1.4+
Attachment #236836 -
Flags: approval1.8.0.12?
Attachment #236836 -
Flags: approval1.8.0.12+
Assignee | ||
Updated•18 years ago
|
Keywords: fixed1.8.0.12,
fixed1.8.1.4
Updated•18 years ago
|
Group: security
You need to log in
before you can comment on or make changes to this bug.
Description
•