Security/Reviews/Gaia/DownloadManager: Difference between revisions

Jump to navigation Jump to search

Security/Reviews/Gaia/DownloadManager (view source)

Revision as of 17:21, 30 January 2014

5 bytes added ,  30 January 2014
→‎XSS & HTML Injection Attacks
Line 110: Line 110:
Based on source code inspection, there are no dangerous coding practices (like misuse of innerHTML) that will result in HTML/JS injections.
Based on source code inspection, there are no dangerous coding practices (like misuse of innerHTML) that will result in HTML/JS injections.


Characters ',",>, and < were tested in filenames. We could not directly test > or < because the filesystem disallowed those characters in filenames, however we did use App Manager to break into the JS and insert those characters to see if filenames were rendered safely in the Notifications pull down as well as the Settings->Downloads menu.
Characters ',",>, \, & and < were tested in filenames. We could not directly test > or < because the filesystem disallowed those characters in filenames, however we did use App Manager to break into the JS and insert those characters to see if filenames were rendered safely in the Notifications pull down as well as the Settings->Downloads menu.


==== Secure Communications ====
==== Secure Communications ====
Rfletcher
Confirmed users
353

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/911038"

Navigation menu