Muneaki Nishimura Reporter
	Description • 9 years ago

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36

Steps to reproduce:

1. Open the following Google search result
https://www.google.co.jp/search?q=%3Ch1%3E%3Cs%3E%3Ca+href%3Dhttps%3A%2F%2Fmallory.csrf.jp%3A8020%3EXSS%3C%2Fa%3E%3C%2Fs%3E%3C%2Fh1%3E&oq=%3Ch1%3E%3Cs%3E%3Ca+href%3Dhttps%3A%2F%2Fmallory.csrf.jp%3A8020%3EXSS%3C%2Fa%3E%3C%2Fs%3E%3C%2Fh1%3E
2. Open the  page by reader view


Actual results:

HTML tags in the page title "<h1><s><a href=https://mallory.csrf.jp:8020>XSS</a></s></h1>" is parsed as HTML in reader view.



Expected results:

The page title should be shown as plain text.

Fortunately the reader view is protected by strong CSP (below).
https://github.com/mozilla/firefox-ios/blob/master/Client/Frontend/Reader/ReaderModeHandlers.swift#L45
So I think its risk is not so high since nasty attacks such as XSS and iframe injection are blocked.

	Daniel Veditz [:dveditz]
	Comment 1 • 9 years ago

Not sure if the iOS version is part of the bounty program but nominating all the same

	Al Billings [:abillings - ex-MoCo]
	Comment 2 • 9 years ago

Minusing this as a "low" rated security issue. If you can elevate this to a stronger exploit, we can re-examine this. Also, you may wish to see if this is present on Firefox for Android.

	Muneaki Nishimura Reporter
	Comment 3 • 7 years ago

This ticket has passed 2 years since I reported. This is still unfixed but the risk is rated as low.
Could you unhidden the ticket if no risk would be exposed?