GitLab

We had a random anonymous person show up on IRC who pointed out that Transifex was not filtering their input for XSS or other attacks. While this is bad for our website, it is potentially even worse for Torbutton. XUL XSS means arbitrary code execution.

I spoke with Dan Veditz and he both half-chastised me for trusting this input, and also explained the history Mozilla went through before they managed to make Personas safe to deploy. DTD elements can carry arbitrary XUL elements. Properties are much less risky unless you use them as .innerHTML in DOM manipulations.

I also tried to see if I could "break out" of a DTD element used inside an attribute by closing the quote and injecting a script attribute. I could not.

I believe this means that only two of our DTD elements should actually be vulnerable to this.