toolkit/content/tests/chrome/test_bug570192.xul
author Kris Maglione <maglione.k@gmail.com>
Wed, 24 Jan 2018 14:56:48 -0800
changeset 454546 64737c752ac4af4766ad6f82720818521f3aca24
parent 196717 bbdc558a0bb261e2434a6f974cafcd39f544c639
child 471069 3709d682bb55a88747275fff818a033f8de558c1
permissions -rw-r--r--
Bug 1432966: Sanitize HTML fragments created for chrome-privileged documents. r=bz f=gijs a=jcristau This is a short-term solution to our inability to apply CSP to chrome-privileged documents. Ideally, we should be preventing all inline script execution in chrome-privileged documents, since the reprecussions of XSS in chrome documents are much worse than in content documents. Unfortunately, that's not possible in the near term because a) we don't support CSP in system principal documents at all, and b) we rely heavily on inline JS in our static XUL. This stop-gap solution at least prevents some of the most common vectors of XSS attack, by automatically sanitizing any HTML fragment created for a chrome-privileged document. MozReview-Commit-ID: 5w17celRFr

<?xml version="1.0"?>
<?xml-stylesheet href="chrome://global/skin" type="text/css"?>
<?xml-stylesheet 
  href="chrome://mochikit/content/tests/SimpleTest/test.css"
  type="text/css"?>
<!--
https://bugzilla.mozilla.org/show_bug.cgi?id=570192
-->
<window title="Mozilla Bug 558406"
  xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">

  <script type="application/javascript" 
          src="chrome://mochikit/content/tests/SimpleTest/SimpleTest.js"></script>
  <script type="application/javascript"
          src="chrome://mochikit/content/tests/SimpleTest/WindowSnapshot.js"></script>
  <script type="application/javascript"
          src="RegisterUnregisterChrome.js"></script>

  <body  xmlns="http://www.w3.org/1999/xhtml">
    <a target="_blank" 
       href="https://bugzilla.mozilla.org/show_bug.cgi?id=570192">
      Mozilla Bug 570192
    </a>

    <p id="display">
    </p>
    <div id="content" style="display: none">
    </div>
    <pre id="test">
    </pre>
  </body>

  <script type="application/javascript">
    <![CDATA[

    addLoadEvent(function() {
      try {
        var content = document.getElementById("content");
        content.unsafeSetInnerHTML('<textbox newlines="pasteintact" ' +
          'xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"/>');
        var textbox = content.firstChild;
        ok(textbox, "created the textbox");
        ok(!textbox.editor, "do we have an editor?");
      } catch (e) {
        ok(false, "Got an exception: " + e);
      }
      SimpleTest.finish();
    });
    SimpleTest.waitForExplicitFinish();

   ]]>
  </script>
</window>