You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2012-55

Mozilla Foundation Security Advisory 2012-55

Title: feed: URLs with an innerURI inherit security context of page
Impact: Moderate
Announced: July 17, 2012
Reporter: Mario Gomes, Soroush Dalili
Products: Firefox

Fixed in: Firefox 14
  Firefox ESR 10.0.6


Security researchers Mario Gomes and Soroush Dalili reported that since Mozilla allows the pseudo-protocol feed: to prefix any valid URL, it is possible to construct feed:javascript: URLs that will execute scripts in some contexts. On some sites it may be possible to use this to evade output filtering that would otherwise strip javascript: URLs and thus contribute to cross-site scripting (XSS) problems on these sites.