Comments on: So much for nsIScriptableUnescapeHTML.parseFragment()

By: Mike

Mike — Mon, 28 Mar 2011 06:06:46 +0000

Thanks Roberto I wonder if Wladimir Palant and Jorge Villalobos would now consider an apology?

By: Roberto Suggi Liverani

Roberto Suggi Liverani — Sun, 27 Mar 2011 11:42:28 +0000

Hi Mike,

I just posted an article in my blog regarding this issue with the nsIScriptableUnescapeHTMl.parseFragment(). Please see here:

http://malerisch.net/articles/ParanoidFragmentSink_and_a_confusing_disclosure.html

In few words, you were right. The function could not be trusted. The issue has now been fixed by Mozilla.

Cheers,

Roberto Suggi Liverani

By: Mike

Mike — Fri, 05 Mar 2010 06:10:24 +0000

@Steve: The main problem here is that people at Mozilla are “selling” nsIScriptableUnescapeHTML.parseFragment() as the magic bullet for ensuring that malicious code doesn’t execute within the “privileged” confines of Firefox, which it certainly isn’t. Malicious code with access to the “privileged” confines of Firefox could, for example, read stored passwords – Which could be more than an annoyance if you do your banking online and Firefox has stored your password.

Because people at Mozilla are pushing nsIScriptableUnescapeHTML.parseFragment() on many extension developers, those same extension developers are accepting, without question, that the magic bullet is going to close all security holes. In fact all that is happening is that extension developers are implementing a standard set of security vulnerabilities.

By: Steve Kinney

Steve Kinney — Fri, 05 Mar 2010 05:42:06 +0000

If the user/administrator of a computer is competent, nothing that crawls up out of any Firefox extension can cause damage beyond annoyance or, at the very worst, a few hours of lost work. If the user/administrator is incompetent, obscure and as-yet unexploited security holes in Firefox extensions are the least of the problems.

I will not upgrade Firefox to any version that does not support Wizz RSS, because there are no workable replacements.

By: Elena

Elena — Wed, 16 Dec 2009 11:12:32 +0000

Спасибо, мне нравится.

By: Elena

Elena — Wed, 16 Dec 2009 11:11:33 +0000

Спасибо, все хорошо.

By: Jesse Francis

Jesse Francis — Sun, 13 Dec 2009 19:35:49 +0000

I would rather see the warning message every time I restart my browser than uninstall Wizz RSS. It is simply the best RSS feed agent for Firefox. Nothing else even comes close.

My favorite feature is that it handles all my podcast subscriptions neatly in my AOIS sidebar and allows me to play them without visitng the podcasts site every time.

Tell’em where to put it Mike.

By: Mike

Mike — Tue, 08 Dec 2009 19:48:04 +0000

@Roonie: As far as I’m aware, all Firefox add-ons uninstall in exactly the same way. If you don’t know how to uninstall a Firefox add-on, please see http://www.wizzrss.com/helpwiki/index.php/Uninstalling_Wizz_RSS for details on how to do it.

If you are using Wizz RSS, or any other feed reader for Firefox (Which includes Live Bookmarks – Commonly referred to as Livemarks), to read your gmail, and have not got Firefox password manager to store your password, a pop-up requesting your gmail password will appear each time you read the feed.

By: Roonie

Roonie — Tue, 08 Dec 2009 19:21:44 +0000

All these links and I don’t know how to uninstall it. Can you send me a proper link with instructions as to how to get this off my HD? Also, is this why I keep getting a pop-up in gMail related to passwords for RSS readers?

By: MaiDireAudit

MaiDireAudit — Wed, 25 Nov 2009 08:51:06 +0000

I’ll never uninstall wizz. No matter what they say about security issues like that.
Never had any single problem with the reader.