Cykesiopka 9533a3d17b Bug 1281661 - Ensure input to NSSDialogService prompt messages are HTML escaped to avoid HTML injection. r=kats,keeler ... As of the writing of this patch, NSSDialogService pops up a prompter on Android as follows (assuming at least one label is requested): 1. NSSDialogService.js calls Prompt.jsm methods and eventually requests the prompt be displayed. 2. Prompt.jsm sends a messages to the Java side. 3. The Java side receives the message and eventually calls org.mozilla.gecko.prompts.PromptInput.LabelInput.getView(). 4. LabelInput.getView() calls android.text.Html.fromHtml(). At no point is any HTML injection prevention done, so in theory NSSDialogService could be an injection vector. In practice, it appears that fromHtml() doesn't actually allow anything malicious to be done. This patch introduces HTML escaping at the NSSDialogService level just to be safe. MozReview-Commit-ID: LhHuZKSqx01 --HG-- extra : transplant_source : l%C9%A2%95%9A.%05%1F%CF%5D%02%5E%12N%C1%B7O%7C%1B%8B		2016-06-29 18:48:49 -07:00
..
en-US	Bug 1281661 - Ensure input to NSSDialogService prompt messages are HTML escaped to avoid HTML injection. r=kats,keeler	2016-06-29 18:48:49 -07:00
all-locales	Bug 1246000 - remove stale locales from Android on central, too, r=jbeatty	2016-02-17 16:39:43 +01:00
filter.py	Bug 1182722 - Move DevTools l10n files. r=ochameau,glandium,Pike,bgrins	2015-11-04 15:35:53 -06:00
jar.mn	Bug 1232105 - device prompt UI for presentation api; r=margaret	2016-04-25 11:34:23 +08:00
l10n.ini
maemo-locales	bug 900591, bug 626023, adds sv-SE to all- and maemo-locales for addition to multi-locale APK, r=mfinkle	2013-08-30 19:08:19 +02:00
Makefile.in	Backed out changeset a87a27864bb8 (bug 1223385)	2016-01-15 13:51:54 +01:00
moz.build	Bug 774572 - Part 2: Define JAR_MANIFESTS in moz.build files; r=glandium	2013-12-10 16:18:11 +09:00