Short version: modal_dialog.js,specifically the buildSelectOneDialog function, sets innerHTML to unsanitised input. It doesn't look possibly currently to trigger this and cause an issue, but I think we should remove this code if it is no longer used. Or if its needed, fix it so that it doesnt use innerHTML, and uses DOM methods instead. I've rated this as LOW, since it doesn't look to be exploitable at the moment, but wanted to raise it for discussion to make sure. Long version: This code worries me: 172 var type = evt.detail.promptType || evt.detail.type; 173 if (type !== 'selectone') { 174 message = escapeHTML(message); 175 } So if the event type is selectone, the message doesnt get sanitized.But the function that takes the message arguement, buildSelectOneDialog [1], does dangerous string concatenation and then innerHTML. However as far as I can tell, this code is no longer used because currently mozbrowser doesnt fire a mozbrowsershowmodalprompt event on select [2]. I am worried though that if the mozbrowser code is changed to start fire events for select, this will allow apps to injection HTML/JavaScript into the system app context. [1] http://mxr.mozilla.org/gaia/source/apps/system/js/modal_dialog.js#324 [2] https://mxr.mozilla.org/mozilla-b2g18/source/dom/browser-element/BrowserElementPromptService.jsm#123