[tor-bugs] #2780 [Torbutton]: Investigate Torbutton translation input validation issue
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Mon Mar 21 11:59:23 UTC 2011
#2780: Investigate Torbutton translation input validation issue
-----------------------------------------------------------------------------+
Reporter: mikeperry | Owner: mikeperry
Type: defect | Status: new
Priority: blocker | Milestone:
Component: Torbutton | Version:
Keywords: TorbuttonIterationFires20110320 MikePerryIterationFires20110320 | Parent:
Points: 2 | Actualpoints:
-----------------------------------------------------------------------------+
We had a random anonymous person show up on IRC who pointed out that
Transifex was not filtering their input for XSS or other attacks. While
this is bad for our website, it is potentially even worse for Torbutton.
XUL XSS means arbitrary code execution.
I spoke with Dan Veditz and he both half-chastised me for trusting this
input, and also explained the history Mozilla went through before they
managed to make Personas safe to deploy. DTD elements can carry arbitrary
XUL elements. Properties are much less risky unless you use them as
.innerHTML in DOM manipulations.
I also tried to see if I could "break out" of a DTD element used inside an
attribute by closing the quote and injecting a script attribute. I could
not.
I believe this means that only two of our DTD elements should actually be
vulnerable to this.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/2780>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list