From bug 343573 comment 39: The spec (in that bug) says "Any tags included that are not allowed should be displayed as entities rather than stripped out." This is just adding $this->config->set('Core.EscapeInvalidTags', true) however, we're passing the strings to our view sanitized, and then unsanitizing them when we need them in that form. Our unsanitize() function uses preg_replace() which doesn't care how many replacements it does, meaning this is a regular occurance: < -> < -> > . This effectively ruins our sanitization with mixed levels of escaping. The current code is stripping out the entities which is working fine. We could fix this by passing the strings to the view individually with set() but that's pretty dirty. I don't feel this is a high enough priority to block 5.3, so I'm splitting it into it's own lower priority bug.

This can be committed anytime

Wil: mind relaying a quick testcase? Thanks!

Sure put this in a field that allows html: <script>alert('blah')</script> On the live site it will disappear, on preview it will be shown on the page (escaped).

Verified FIXED on https://preview.addons.mozilla.org/en-US/developers/addon/edit/9331/descriptions; thanks, Wil!

Had to back this patch out because it was making XSS possible. Kicking out of 5.5. too.

boom!