Security/Reviews/Gaia/clock
App Review Details
- App: clock
- Review Date: 2013-03-08
- Review Lead: Frederik Braun (:freddyb)
- Review Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=754737
Overview
Components
Menu to view current time, date and currently set alarms. Interaction via add-alarm button or change-alarm on an existing alarm.
Events set to trigger an alarm.
Relevant Source Code
Source code available on GitHub: https://github.com/mozilla-b2g/gaia/tree/master/apps/clock Reviewed all JavaScript code in js/
Permissions
The app has full read/write permissions to the Settings in order to add and remove alarms. It also stores whether the clock is shown as a digital or an analog clock.
It might be desirable to have more granular settings capabilities in general, <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=841071">bug 841071</a>
Web Activity Handlers
None
Web Activity Usage
None
Notable Event Handlers
None
Code Review Notes
1. XSS & HTML Injection attacks
The name of an alarm is escaped using a temporary span element and then setting and extracting it's textContent. No other text input is being handled.
2. Secure Communications
No communication.
3. Secure data storage
No storage of sensible data.
4. Denial of Service
5. Use of Privileged APIs
Settings
6. Interfaces with other Apps/Content
None