|
|
| Line 120: |
Line 120: |
|
| |
|
| ====1. XSS & HTML Injection attacks==== | | ====1. XSS & HTML Injection attacks==== |
|
| |
| InnerHTML and parseFromString are used with user input (e.g. body of the sms),
| |
| but it seems properly escape &<>'" characters (via Utils.Template.prototype.interpolate() and Utils.escapeHTML()).
| |
|
| |
| ISSUE ?: When generating the slides for building the SMIL document (smil.js): the 'blobType' of the document to be attached is used to build
| |
| an HTML string by concatenation.
| |
| The blobType is just the MIME type returned by Utils.typeFromMimeType(). In the case it detects text, the MIME type is returned as the
| |
| string it reads in the field. As it is not escaped to build the HTML string, what if the MIME type has been tampered with ?
| |
| Ref: smil.js, l.72 & l.92
| |
| utils.js, l.427
| |
|
| |
|
| ====2. Secure Communications ==== | | ====2. Secure Communications ==== |