Opened 10 years ago

Closed 10 years ago

#2162 closed Bug (fixed)

Working with Firebug might include reference to chrome: file

Reported by: Alfonso Martínez de Lizarrondo Owned by: Alfonso Martínez de Lizarrondo
Priority: Normal Milestone: FCKeditor 2.6.1
Component: Core : Output Data Version: FCKeditor 2.6
Keywords: Confirmed Firefox Review+ Cc:

Description

I don't know the exact steps to reproduce, but I've seen a page that it wasn't possible to edit anymore giving an error in both IE and Firefox. The page was edited with full page and it had this included (after the last successful edit):

		<link charset="utf-8" rel="stylesheet" type="text/css" href="chrome://firebug/content/highlighter.css" />

So it might be a good idea to check that the <link>s doesn't point to restricted urls

Attachments (1)

2162.patch (1.3 KB) - added by Alfonso Martínez de Lizarrondo 10 years ago.
Proposed SVN patch

Download all attachments as: .zip

Change History (7)

comment:1 Changed 10 years ago by Alfonso Martínez de Lizarrondo

Note: the bug in Firefox was reported as

Access to restricted URI denied" code: "1012

and IE said "Access denied", line 84

comment:2 Changed 10 years ago by Frederico Caldeira Knabben

Keywords: Confirmed Firefox added

I was able to append that <link> tag by simply inspecting a FullPage=true document with Firebug.

Is there any chance for us to detect Firebug and behave accordingly?

comment:3 Changed 10 years ago by Alfonso Martínez de Lizarrondo

Other extensions might include other content on the page, so I would rather just check that the href of the link starts with chrome:// and then ignore it. It doesn't matter if Firebug is loaded or not, we will be safe anyway.

An example of other extensions that do nasty things is Skype, but those transformations are much harder to revert as they are done in the body.

Changed 10 years ago by Alfonso Martínez de Lizarrondo

Attachment: 2162.patch added

Proposed SVN patch

comment:4 Changed 10 years ago by Alfonso Martínez de Lizarrondo

Keywords: Review? added

comment:5 Changed 10 years ago by Frederico Caldeira Knabben

Keywords: Review+ added; Review? removed
Milestone: FCKeditor 2.6.1

Your thoughts make sense Alfonso... I doubt we'll ever have someone intentionally appending chrome:// <link>s.

comment:6 Changed 10 years ago by Alfonso Martínez de Lizarrondo

Resolution: fixed
Status: newclosed

Fixed with [1983]

Note: See TracTickets for help on using tickets.
© 2003 – 2017 CKSource – Frederico Knabben. All rights reserved. | Terms of use | Privacy policy