diff options
author | Byron Jones <glob@mozilla.com> | 2015-07-02 07:17:37 +0200 |
---|---|---|
committer | Byron Jones <glob@mozilla.com> | 2015-07-02 07:17:37 +0200 |
commit | 09b4735659156961621663ed65b9175e69a7f3f2 (patch) | |
tree | e44904d82f80d0a41a051815271b24690b5ab0fd | |
parent | a5f0c0cbff15f9de31b312cb3d57faa0a5b77f43 (diff) | |
download | bugzilla-09b4735659156961621663ed65b9175e69a7f3f2.tar.gz bugzilla-09b4735659156961621663ed65b9175e69a7f3f2.tar.xz |
Bug 1171758: Persistent xss is possible on Firefox
-rw-r--r-- | extensions/InlineHistory/web/inline-history.js | 10 | ||||
-rw-r--r-- | template/en/default/bug/edit.html.tmpl | 16 |
2 files changed, 17 insertions, 9 deletions
diff --git a/extensions/InlineHistory/web/inline-history.js b/extensions/InlineHistory/web/inline-history.js index 4c4452d6a..0c8293519 100644 --- a/extensions/InlineHistory/web/inline-history.js +++ b/extensions/InlineHistory/web/inline-history.js @@ -379,9 +379,13 @@ var inline_history = { }, confirmUnsafeUrl: function(url) { - return confirm( - 'This is considered an unsafe URL and could possibly be harmful.\n' - + 'The full URL is:\n\n' + url + '\n\nContinue?'); + try { + return confirm( + 'This is considered an unsafe URL and could possibly be harmful.\n' + + 'The full URL is:\n\n' + url + '\n\nContinue?'); + } catch(e) { + return false; + } }, previousElementSibling: function(el) { diff --git a/template/en/default/bug/edit.html.tmpl b/template/en/default/bug/edit.html.tmpl index eba5702e3..93c137073 100644 --- a/template/en/default/bug/edit.html.tmpl +++ b/template/en/default/bug/edit.html.tmpl @@ -600,12 +600,16 @@ [% IF bug.check_can_change_field("bug_file_loc", 0, 1) %] <span id="bz_url_edit_container" class="bz_default_hidden"> <a href="[% bug.bug_file_loc FILTER html %]" target="_blank" - rel="noreferrer" title="[% bug.bug_file_loc FILTER html %]" - [% IF NOT is_safe_url(bug.bug_file_loc) %] - onclick="return confirm( - 'This is considered an unsafe URL and could possibly be harmful. ' - + 'The full URL is:\n\n[% bug.bug_file_loc FILTER js FILTER html %]\n\n' - + 'Continue?')" + rel="noreferrer" title="[% bug.bug_file_loc FILTER html %]" + [% IF NOT is_safe_url(bug.bug_file_loc) %] + onclick=" + try { + return confirm('This is considered an unsafe URL and could possibly be harmful. ' + + 'The full URL is:\n\n[% bug.bug_file_loc FILTER js FILTER html %]\n\nContinue?'); + } catch(e) { + return false; + } + " [% END %]> [% bug.bug_file_loc FILTER truncate(40) FILTER html %]</a> (<a href="#" id="bz_url_edit_action">edit</a>) |