Bug 1074485 - Reflected Cross-Site Scripting (XSS) on about:cache context and storage request variables, r=MattN
--- a/netwerk/protocol/about/nsAboutCache.cpp
+++ b/netwerk/protocol/about/nsAboutCache.cpp
@@ -180,23 +180,27 @@ nsAboutCache::VisitNextStorage()
void
nsAboutCache::FireVisitStorage()
{
nsresult rv;
rv = VisitStorage(mStorageName);
if (NS_FAILED(rv)) {
if (mLoadInfo) {
+ char* escaped = nsEscapeHTML(mStorageName.get());
mBuffer.Append(
nsPrintfCString("<p>Unrecognized storage name '%s' in about:cache URL</p>",
- mStorageName.get()));
+ escaped));
+ nsMemory::Free(escaped);
} else {
+ char* escaped = nsEscapeHTML(mContextString.get());
mBuffer.Append(
nsPrintfCString("<p>Unrecognized context key '%s' in about:cache URL</p>",
- mContextString.get()));
+ escaped));
+ nsMemory::Free(escaped);
}
FlushBuffer();
// Simulate finish of a visit cycle, this tries the next storage
// or closes the output stream (i.e. the UI loader will stop spinning)
OnCacheEntryVisitCompleted();
}