So much for nsIScriptableUnescapeHTML.parseFragment()
Last night, and again this morning, I spent a few hours trying to implement nsIScriptableUnescapeHTML.parseFragment() in the Wizz RSS code. According to Wladimir Palant, nsIScriptableUnescapeHTML.parseFragment() should be used for Displaying web content in an extension - without security issues. It’s also obvious that other Firefox “security experts” - i.e. Jorge Villalobos - agree with Wladimir Palant’s opinion.
My few hours of trying to implement nsIScriptableUnescapeHTML.parseFragment() have shown me that both Wladimir Palant and Jorge Villalobos are wrong!
Back in March 2007, Jefferson Ogata of NOAA Computer Incident Response Team (N-CIRT), lodged a vulnerability report with US-CERT (Details of the vulnerability report can be seen here and here) with regard to vulnerability discovered in Wizz RSS 2.1.7 (And earlier). Jefferson Ogata very kindly worked with me for quite a few weeks on plugging the vulnerability. Jefferson offered advice and I coded his recommendations. Jefferson would then test my fixes against a set of potentially malicious test cases, and when we were both happy that the vulnerability had successfully been plugged, version 2.1.9 was released and was made public.
So, while nsIScriptableUnescapeHTML.parseFragment() successfully deals with vulnerabilities in Wizz RSS uncovered by Wladimir Palant, it certainly does not deal with all of those uncovered by Jefferson Ogata in 2007!
Makes me wonder how may other Firefox extensions have implemented nsIScriptableUnescapeHTML.parseFragment(), believing that it would sanitize potentially malicious code? Also makes me wonder if the “security experts” actually know what they are talking about.
November 18th, 2009 at 7:13 pm
No pienso desinstalar wizz, es de lo mejor y nunca me ha dado problemas ¡¡ánimo!!
November 25th, 2009 at 10:51 am
I’ll never uninstall wizz. No matter what they say about security issues like that.
Never had any single problem with the reader.
December 8th, 2009 at 9:21 pm
All these links and I don’t know how to uninstall it. Can you send me a proper link with instructions as to how to get this off my HD? Also, is this why I keep getting a pop-up in gMail related to passwords for RSS readers?
December 8th, 2009 at 9:48 pm
@Roonie: As far as I’m aware, all Firefox add-ons uninstall in exactly the same way. If you don’t know how to uninstall a Firefox add-on, please see http://www.wizzrss.com/helpwiki/index.php/Uninstalling_Wizz_RSS for details on how to do it.
If you are using Wizz RSS, or any other feed reader for Firefox (Which includes Live Bookmarks - Commonly referred to as Livemarks), to read your gmail, and have not got Firefox password manager to store your password, a pop-up requesting your gmail password will appear each time you read the feed.
December 13th, 2009 at 9:35 pm
I would rather see the warning message every time I restart my browser than uninstall Wizz RSS. It is simply the best RSS feed agent for Firefox. Nothing else even comes close.
My favorite feature is that it handles all my podcast subscriptions neatly in my AOIS sidebar and allows me to play them without visitng the podcasts site every time.
Tell’em where to put it Mike.
December 16th, 2009 at 1:11 pm
Спасибо, все хорошо.
December 16th, 2009 at 1:12 pm
Спасибо, мне нравится.