[hackerone] javascript: security isssue #2463

diracdeltas · 2020-04-13T20:32:14Z

see https://hackerone.com/reports/846152 or ask yan for details

Test Plan

Specified here: #2550

diracdeltas · 2020-04-14T19:20:08Z

discussed in Slack, decided solution was just to strip javascript: from the URL bar when pasting

srirambv · 2020-05-22T17:38:50Z

Verification passed on iPhone XR with iOS 13.5 running 1.17(20.5.21.17)

Verified test plan from Fix #2463: Javascript URLs should only work for bookmarklets #2550

Verification passed on iPhone 7+ with iOS 13.4.5 running 1.17(20.5.21.17)

Verified test plan from Fix #2463: Javascript URLs should only work for bookmarklets #2550

Verification passed on iPhone 6 with iOS 12.4.5 running 1.17(20.5.21.17)

Verified test plan from Fix #2463: Javascript URLs should only work for bookmarklets #2550

Verification passed on iPad Pro with iOS 13.4.5 running 1.17(20.5.21.17)

Verified test plan from Fix #2463: Javascript URLs should only work for bookmarklets #2550

Verification passed on iPad Pro with iOS 12.4.5 running 1.17(20.5.21.17)

Verified test plan from Fix #2463: Javascript URLs should only work for bookmarklets #2550

diracdeltas added the security label Apr 13, 2020

diracdeltas assigned Brandon-T Apr 14, 2020

jhreis assigned jhreis and unassigned Brandon-T Apr 17, 2020

jumde added the sec-priority label Apr 22, 2020

diracdeltas assigned jumde Apr 30, 2020

jhreis added a commit that referenced this issue May 7, 2020

Ref #2463: Initial sanitization approach.

e2a9a91

jumde pushed a commit that referenced this issue May 12, 2020

Ref #2463: Initial sanitization approach.

cb35061

jumde mentioned this issue May 13, 2020

Fix #2463: Javascript URLs should only work for bookmarklets #2550

Merged

7 tasks

jhreis added this to the 1.17 milestone May 14, 2020

jhreis added bug QA/Yes release-notes/include labels May 14, 2020

jhreis closed this as completed in #2550 May 14, 2020

jhreis pushed a commit that referenced this issue May 14, 2020

Fix #2463: Javascript URLs should only work for bookmarklets (#2550)

7f440d9

This was referenced May 22, 2020

Manual test run for 1.17 on iPhone X running iOS13 #2568

Closed

Manual test run for 1.17 on iPhone running iOS12 #2569

Closed

Manual test run for 1.17 on iPad mini running iOS13 #2570

Closed

srirambv added QA Pass - iPad QA Pass - iPhone X QA Pass - iPhone labels May 22, 2020

srirambv mentioned this issue May 29, 2020

Release Notes for 1.17 #2592

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[hackerone] javascript: security isssue #2463

[hackerone] javascript: security isssue #2463

diracdeltas commented Apr 13, 2020 •

edited by jumde

Loading

diracdeltas commented Apr 14, 2020

srirambv commented May 22, 2020

[hackerone] javascript: security isssue #2463

[hackerone] javascript: security isssue #2463

Comments

diracdeltas commented Apr 13, 2020 • edited by jumde Loading

Test Plan

diracdeltas commented Apr 14, 2020

srirambv commented May 22, 2020

diracdeltas commented Apr 13, 2020 •

edited by jumde

Loading