Last night, and again this morning, I spent a few hours trying to implement nsIScriptableUnescapeHTML.parseFragment() in the Wizz RSS code. According to Wladimir Palant, nsIScriptableUnescapeHTML.parseFragment() should be used for Displaying web content in an extension – without security issues. It’s also obvious that other Firefox “security experts” – i.e. Jorge Villalobos – agree with Wladimir Palant’s opinion.
My few hours of trying to implement nsIScriptableUnescapeHTML.parseFragment() have shown me that both Wladimir Palant and Jorge Villalobos are wrong!
Back in March 2007, Jefferson Ogata of NOAA Computer Incident Response Team (N-CIRT), lodged a vulnerability report with US-CERT (Details of the vulnerability report can be seen here and here) with regard to vulnerability discovered in Wizz RSS 2.1.7 (And earlier). Jefferson Ogata very kindly worked with me for quite a few weeks on plugging the vulnerability. Jefferson offered advice and I coded his recommendations. Jefferson would then test my fixes against a set of potentially malicious test cases, and when we were both happy that the vulnerability had successfully been plugged, version 2.1.9 was released and was made public.
So, while nsIScriptableUnescapeHTML.parseFragment() successfully deals with vulnerabilities in Wizz RSS uncovered by Wladimir Palant, it certainly does not deal with all of those uncovered by Jefferson Ogata in 2007!
Makes me wonder how many other Firefox extensions have implemented nsIScriptableUnescapeHTML.parseFragment(), believing that it would sanitize potentially malicious code? Also makes me wonder if the “security experts” actually know what they are talking about.