Confirmed users
353
edits
Security/Reviews/Gaia/costcontrol: Difference between revisions
Security/Reviews/Gaia/costcontrol (view source)
Revision as of 16:09, 25 September 2013
, 25 September 2013→Suspicious but OK
| Line 69: | Line 69: | ||
====1. XSS & HTML Injection attacks==== | ====1. XSS & HTML Injection attacks==== | ||
=====Suspicious but OK===== | =====Suspicious but OK===== | ||
~/work/code/gaia/apps/costcontrol/js/view_manager.js:111 - panel.innerHTML = panel.childNodes[i].nodeValue; | |||
-inside _loadPanel, which is a function assigned to loadPanel | -inside _loadPanel, which is a function assigned to loadPanel | ||
-loadPanel is used inside changeViewTo | -loadPanel is used inside changeViewTo | ||
| Line 76: | Line 76: | ||
-Specifically, changeViewTo('datausage-tab') is called, so if 'datausage-tab' | -Specifically, changeViewTo('datausage-tab') is called, so if 'datausage-tab' | ||
~/work/code/B2G/gaia/apps/costcontrol/js/view_manager.js:138 - var script = document.createElement('script'); | |||
- Used to activate scripts | - Used to activate scripts | ||
- grabs a bunch of scripts (from where?) and then builds script tags with the sources. | - grabs a bunch of scripts (from where?) and then builds script tags with the sources. | ||
- can we contaminate the name of a script file defined in the src to something malicious | - can we contaminate the name of a script file defined in the src to something malicious | ||
~/work/code/gaia/apps/costcontrol/js/settings/settings.js:131 - src.innerHTML = xhr.responseText; | |||
-> XHR is fetching /debug.html which has no variable data | -> XHR is fetching /debug.html which has no variable data | ||
~/work/code/B2G/gaia/apps/costcontrol/js/fte.js:121 - if (window.location.hash) { | |||
- Does JS do inlining? If so, wouldn't a hash of alert(1) fire in that context? | - Does JS do inlining? If so, wouldn't a hash of alert(1) fire in that context? | ||
- "There is no implicit inling in JS" - dchan | - "There is no implicit inling in JS" - dchan | ||