Bug 1074485 - Reflected Cross-Site Scripting (XSS) on about:cache context and storage request variables, r=MattN
authorHonza Bambas <honzab.moz@firemni.cz>
Wed, 08 Oct 2014 17:07:42 +0200
changeset 209359 73b8074b7299d608ca96fa1368aceb90f4e39506
parent 209358 bbbf658ef840a51cac276ceefb994047062cce81
child 209360 72a705b53e7581e086ee7b4281fad9d45ffd2382
push id1
push userroot
push dateMon, 20 Oct 2014 17:29:22 +0000
reviewersMattN
bugs1074485
milestone35.0a1
Bug 1074485 - Reflected Cross-Site Scripting (XSS) on about:cache context and storage request variables, r=MattN
netwerk/protocol/about/nsAboutCache.cpp
--- a/netwerk/protocol/about/nsAboutCache.cpp
+++ b/netwerk/protocol/about/nsAboutCache.cpp
@@ -180,23 +180,27 @@ nsAboutCache::VisitNextStorage()
 void
 nsAboutCache::FireVisitStorage()
 {
     nsresult rv;
 
     rv = VisitStorage(mStorageName);
     if (NS_FAILED(rv)) {
         if (mLoadInfo) {
+            char* escaped = nsEscapeHTML(mStorageName.get());
             mBuffer.Append(
                 nsPrintfCString("<p>Unrecognized storage name '%s' in about:cache URL</p>",
-                                mStorageName.get()));
+                                escaped));
+            nsMemory::Free(escaped);
         } else {
+            char* escaped = nsEscapeHTML(mContextString.get());
             mBuffer.Append(
                 nsPrintfCString("<p>Unrecognized context key '%s' in about:cache URL</p>",
-                                mContextString.get()));
+                                escaped));
+            nsMemory::Free(escaped);
         }
 
         FlushBuffer();
 
         // Simulate finish of a visit cycle, this tries the next storage
         // or closes the output stream (i.e. the UI loader will stop spinning)
         OnCacheEntryVisitCompleted();
     }