Closed biancadanforth closed 6 years ago
This is an issue brought up by the Security Review.
Per mozfreddyb:
... any kind of unprivileged process can send a fake message to the privileged parent and you dont really make sure that state.blockedResources, state.blockedAds, and time are actually just numbers in https://github.com/biancadanforth/tracking-protection-shield-study/blob/master/addon/content/new-tab-variation.js#L55-L71 -- so this could lead to XSS. ... this can be fixed by doing sanitization before the message.replace(), e.g., using parseInt().
state.blockedResources
state.blockedAds
time
message.replace()
parseInt()
Although the entity sending the numbers is the JSM, and I don't send values from the less privileged context to the JSM, this process of sanitizing inputs is probably a good practice in general and should be incorporated, since it's very easy to do.
This is an issue brought up by the Security Review.
Per mozfreddyb:
Although the entity sending the numbers is the JSM, and I don't send values from the less privileged context to the JSM, this process of sanitizing inputs is probably a good practice in general and should be incorporated, since it's very easy to do.