Open
Bug 1224425
Opened 9 years ago
Updated 2 months ago
HTML injection with the page title in reader view
Categories
(Firefox for iOS :: Reader View, defect)
Tracking
()
NEW
People
(Reporter: sdna.muneaki.nishimura, Unassigned)
Details
(Keywords: reporter-external, sec-low, Whiteboard: moderated by CSP)
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36 Steps to reproduce: 1. Open the following Google search result https://www.google.co.jp/search?q=%3Ch1%3E%3Cs%3E%3Ca+href%3Dhttps%3A%2F%2Fmallory.csrf.jp%3A8020%3EXSS%3C%2Fa%3E%3C%2Fs%3E%3C%2Fh1%3E&oq=%3Ch1%3E%3Cs%3E%3Ca+href%3Dhttps%3A%2F%2Fmallory.csrf.jp%3A8020%3EXSS%3C%2Fa%3E%3C%2Fs%3E%3C%2Fh1%3E 2. Open the page by reader view Actual results: HTML tags in the page title "<h1><s><a href=https://mallory.csrf.jp:8020>XSS</a></s></h1>" is parsed as HTML in reader view. Expected results: The page title should be shown as plain text. Fortunately the reader view is protected by strong CSP (below). https://github.com/mozilla/firefox-ios/blob/master/Client/Frontend/Reader/ReaderModeHandlers.swift#L45 So I think its risk is not so high since nasty attacks such as XSS and iframe injection are blocked.
Updated•9 years ago
|
Flags: needinfo?(sarentz)
Updated•9 years ago
|
Flags: needinfo?(sarentz)
Comment 1•9 years ago
|
||
Not sure if the iOS version is part of the bounty program but nominating all the same
Flags: sec-bounty?
Updated•9 years ago
|
Hardware: Other → All
Updated•9 years ago
|
tracking-fxios:
--- → ?
Updated•9 years ago
|
Updated•9 years ago
|
Whiteboard: moderated by CSP
Comment 2•9 years ago
|
||
Minusing this as a "low" rated security issue. If you can elevate this to a stronger exploit, we can re-examine this. Also, you may wish to see if this is present on Firefox for Android.
Flags: sec-bounty? → sec-bounty-
Reporter | ||
Comment 3•7 years ago
|
||
This ticket has passed 2 years since I reported. This is still unfixed but the risk is rated as low. Could you unhidden the ticket if no risk would be exposed?
Flags: needinfo?(abillings)
Updated•7 years ago
|
Group: firefox-core-security
Updated•7 years ago
|
Flags: needinfo?(abillings)
Updated•5 years ago
|
tracking-fxios:
1.3+ → ---
Updated•2 years ago
|
Severity: normal → S3
Comment hidden (spam) |
Updated•2 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•