Bug 1372517 - Escape name before joining innerHTML. r=sebastian, a=lizzard
authormaliu <max@mxli.us>
Fri, 26 Jan 2018 10:04:54 -0600
changeset 454583 8ac8d4c54c2b402cee26fd9a1e51acdf68f2d5c0
parent 454582 e6146cc17bec1e65d3860213782c917f1bee9081
child 454584 b8321f5cb428ad97609a75616eab56881efee200
push id1648
push usermtabara@mozilla.com
push dateThu, 01 Mar 2018 12:45:47 +0000
treeherdermozilla-release@cbb9688c2eeb [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerssebastian, lizzard
bugs1372517
milestone59.0
Bug 1372517 - Escape name before joining innerHTML. r=sebastian, a=lizzard MozReview-Commit-ID: 8Wh6SCuHK6F
mobile/android/chrome/content/config.js
--- a/mobile/android/chrome/content/config.js
+++ b/mobile/android/chrome/content/config.js
@@ -567,16 +567,25 @@ Pref.prototype = {
   reset: function AC_reset() {
     Services.prefs.clearUserPref(this.name);
   },
 
   test: function AC_test(aValue) {
     return aValue ? aValue.test(this.name) : true;
   },
 
+  escapeHTML: function(input) {
+    return input.replace(/&/g, "&amp;")
+                .replace(/</g, "&lt;")
+                .replace(/>/g, "&gt;")
+                .replace(/"/g, "&quot;")
+                .replace(/'/g, "&#x27;")
+                .replace(/\//g, "&#x2F;");
+  },
+
   // Get existing or create new LI node for the pref
   getOrCreateNewLINode: function AC_getOrCreateNewLINode() {
     if (!this.li) {
       this.li = document.createElement("li");
 
       this.li.className = "pref-item";
       this.li.setAttribute("name", this.name);
 
@@ -595,17 +604,17 @@ Pref.prototype = {
       );
 
       this.li.setAttribute("contextmenu", "prefs-context-menu");
 
       // Create list item outline, bind to object actions
       this.li.unsafeSetInnerHTML(
         "<div class='pref-name' " +
             "onclick='AboutConfig.selectOrToggleBoolPref(event);'>" +
-            this.name +
+            this.escapeHTML(this.name) +
         "</div>" +
         "<div class='pref-item-line'>" +
           "<input class='pref-value' value='' " +
             "onblur='AboutConfig.setIntOrStringPref(event);' " +
             "onclick='AboutConfig.selectOrToggleBoolPref(event);'>" +
           "</input>" +
           "<div class='pref-button reset' " +
             "onclick='AboutConfig.resetDefaultPref(event);'>" +