diff options
| author | bors-servo <lbergstrom+bors@mozilla.com> | 2020-01-15 09:49:10 -0500 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-01-15 09:49:10 -0500 |
| commit | 2373769e766aa6794bd141cd2da137e71a580c86 (patch) | |
| tree | 4745e5cece823e5d05b787967809f0c8d09c2941 /components/script/dom/create.rs | |
| parent | 95614f57f147699f15a8f103c7def1cdfcdc7d1f (diff) | |
| parent | de76597d331f8b032c12240898b5317ac836a7fc (diff) | |
| download | servo-2373769e766aa6794bd141cd2da137e71a580c86.tar.gz servo-2373769e766aa6794bd141cd2da137e71a580c86.zip | |
Auto merge of #25525 - pshaughn:mitigatedialog, r=jdm
Mitigation for #25498
This is not a complete solution:
* The alert string can get a bit mangled in some cases, but not to the point of unreadability.
* tinyfiledialogs has many codepaths that can pass strings to various different potentially-dialog-displaying executables; I do not know if some of those executables have their own unique escaping requirements.
* If some form of the same problem exists on OSX or Windows, this does not address them.
While imperfect, this is an improvement over continuing to have a known way for page authors to execute arbitrary shell script.
Diffstat (limited to 'components/script/dom/create.rs')
0 files changed, 0 insertions, 0 deletions