Comment 6 for bug 991982

Dylan McCall (dylanmccall) wrote :

Ack!
Thanks very much for noticing this and reporting it so thoroughly, Paul.

I'm attaching a fix that applies to the slideshow. Doing it as a patch, because I'm not sure how branches work with private bug reports. This receives from twitter.com using https, and it encodes any URIs it receives using the appropriate functions. With this patch, Paul's attack (if it got around https) would generate a link like this:

<a class="twitter-url" href="javascript:alert(document.body.innerHTML)%22%20onmouseover=%22%20xmlhttp%20=%20new%20XMLHttpRequest();%20xmlhttp.onreadystatechange%20=%20function()%20%7B%20if%20(xmlhttp.readyState%20==%204)%20%7B%20alert('XSSed!%20...%20'%20+%20xmlhttp.responseText);%20%7D%20%7D;%20xmlhttp.open('GET',%20'file:///target/etc/passwd',%20true);%20xmlhttp.send(null);%20%22%20style=%22z-index:100;position:absolute;top:0px;left:0px;width:100%25;height:100%25;">buzz.mw/_uuI1j</a>

That is, it wouldn't link anywhere.