XSS through data: URLs

ID MFSA2012-46
Type mozilla
Reporter Mozilla Foundation
Modified 2012-07-17T00:00:00


Mozilla security researcher moz_bug_r_a4 reported a cross-site scripting (XSS) attack through the context menu using a data: URL. In this issue, context menu functionality ("View Image", "Show only this frame", and "View background image") are disallowed in a javascript: URL but allowed in a data: URL, allowing for XSS. This can lead to arbitrary code execution.