feed: URLs with an innerURI inherit security context of page

ID MFSA2012-55
Type mozilla
Reporter Mozilla Foundation
Modified 2012-07-17T00:00:00


Security researchers Mario Gomes and Soroush Dalili reported that since Mozilla allows the pseudo-protocol feed: to prefix any valid URL, it is possible to construct feed:javascript: URLs that will execute scripts in some contexts. On some sites it may be possible to use this to evade output filtering that would otherwise strip javascript: URLs and thus contribute to cross-site scripting (XSS) problems on these sites.