block just javascript is probably wrong; much safer to call one of the
security manager's checkLoadURI calls and be assured that any future dangerous URL schemes will be covered as well.
Michael Vincent van Rantwijk wrote:
I was reading http://mozillazine.org/talkback.html?article=6582
especially this part: "One of the parameters passed to the software installation method is an icon URL, which can be a piece of JavaScript code. As this JavaScript is executed from the chrome (the browser user interface rather than a Web page), it has 'full chrome privileges' and can do anything that the user running Firefox can. The attacker can therefore pass in some malicious JavaScript and run arbitrary code on the victim's system."
and I was wondering if the patch we use in xpinstallConfirm.js is sufficient already:
var icon = this._param.GetString(++i);
if (icon != "" && !icon.match(/^javascript:/i)) installItem.icon = icon;
see also: http://lxr.mozilla.org/seamonkey/source/toolkit/mozapps/xpinstall/content/xpinstallConfirm.js#65
_______________________________________________ Mozilla-xpinstall mailing list Mozilla-xpinstall@mozilla.org http://mail.mozilla.org/listinfo/mozilla-xpinstall
