XSS vulnerability in POST data pretty printing

[GoogleCodeExporter]

POST data pretty printing allows execution of JavaScript code if the data 
wasn't recognized as XML. The attached testcase exemplifies the problem:

1. Upload the attached file to a webserver.
2. Open it while HttpFox is running, a POST request will be emitted.
3. Now click the POST request to open its info.

You will see an alert box saying "/XSS/" - JavaScript code was successfully 
injected and executed, thanks to the following code in showPostData function:

 // just raw...
 document.getElementById("hf_PostDataPretty").contentDocument.body.innerHTML = request.PostData;

Luckily, the code isn't executed with chrome privileges - saved by 
type="content" here. Simply replacing innerHTML by textContent fixes the issue.

Note that there are similar issues in the debug panel (which end-users should 
luckily never see). Looking at getDebugInfoContent(), HTML entities need to be 
encoded for all the dynamic data inserted into HTML. There are multiple places 
here where a malicious website could inject HTML code otherwise. Luckily, 
type="content" prevents the issue from escalating here as well.

Original issue reported on code.google.com by wladi...@palant.de on 27 Jul 2010 at 11:23

Attachments:

• test.html

[GoogleCodeExporter]

Original comment by pappkame...@gmail.com on 26 Aug 2010 at 10:16

• Changed state: Accepted

[GoogleCodeExporter]

post data display changed in version 0.8.8

Original comment by pappkame...@gmail.com on 30 Aug 2010 at 10:10

• Changed state: Fixed