summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorByron Jones <glob@mozilla.com>2015-07-02 07:17:37 +0200
committerByron Jones <glob@mozilla.com>2015-07-02 07:17:37 +0200
commit09b4735659156961621663ed65b9175e69a7f3f2 (patch)
treee44904d82f80d0a41a051815271b24690b5ab0fd
parenta5f0c0cbff15f9de31b312cb3d57faa0a5b77f43 (diff)
downloadbugzilla-09b4735659156961621663ed65b9175e69a7f3f2.tar.gz
bugzilla-09b4735659156961621663ed65b9175e69a7f3f2.tar.xz
Bug 1171758: Persistent xss is possible on Firefox
-rw-r--r--extensions/InlineHistory/web/inline-history.js10
-rw-r--r--template/en/default/bug/edit.html.tmpl16
2 files changed, 17 insertions, 9 deletions
diff --git a/extensions/InlineHistory/web/inline-history.js b/extensions/InlineHistory/web/inline-history.js
index 4c4452d6a..0c8293519 100644
--- a/extensions/InlineHistory/web/inline-history.js
+++ b/extensions/InlineHistory/web/inline-history.js
@@ -379,9 +379,13 @@ var inline_history = {
},
confirmUnsafeUrl: function(url) {
- return confirm(
- 'This is considered an unsafe URL and could possibly be harmful.\n'
- + 'The full URL is:\n\n' + url + '\n\nContinue?');
+ try {
+ return confirm(
+ 'This is considered an unsafe URL and could possibly be harmful.\n'
+ + 'The full URL is:\n\n' + url + '\n\nContinue?');
+ } catch(e) {
+ return false;
+ }
},
previousElementSibling: function(el) {
diff --git a/template/en/default/bug/edit.html.tmpl b/template/en/default/bug/edit.html.tmpl
index eba5702e3..93c137073 100644
--- a/template/en/default/bug/edit.html.tmpl
+++ b/template/en/default/bug/edit.html.tmpl
@@ -600,12 +600,16 @@
[% IF bug.check_can_change_field("bug_file_loc", 0, 1) %]
<span id="bz_url_edit_container" class="bz_default_hidden">
<a href="[% bug.bug_file_loc FILTER html %]" target="_blank"
- rel="noreferrer" title="[% bug.bug_file_loc FILTER html %]"
- [% IF NOT is_safe_url(bug.bug_file_loc) %]
- onclick="return confirm(
- 'This is considered an unsafe URL and could possibly be harmful. '
- + 'The full URL is:\n\n[% bug.bug_file_loc FILTER js FILTER html %]\n\n'
- + 'Continue?')"
+ rel="noreferrer" title="[% bug.bug_file_loc FILTER html %]"
+ [% IF NOT is_safe_url(bug.bug_file_loc) %]
+ onclick="
+ try {
+ return confirm('This is considered an unsafe URL and could possibly be harmful. ' +
+ 'The full URL is:\n\n[% bug.bug_file_loc FILTER js FILTER html %]\n\nContinue?');
+ } catch(e) {
+ return false;
+ }
+ "
[% END %]>
[% bug.bug_file_loc FILTER truncate(40) FILTER html %]</a>
(<a href="#" id="bz_url_edit_action">edit</a>)