Ladybird Task Manager doesn't html escape `process.title` #24293

xBZZZZ · 2024-05-12T09:28:20Z

serenity/Userland/Libraries/LibWebView/ProcessManager.cpp

Line 214 in e5206f5

builder.appendff(" - {}", *process.title);

screenshot

unrelated question

why use

serenity/Userland/Libraries/LibWebView/ProcessManager.cpp

Lines 210 to 211 in e5206f5

    
           builder.append("<tr>"sv); 
        
           builder.append("<td>"sv);

instead of

        builder.append("<tr><td>"sv);

?

Hendiadyoin1 · 2024-05-12T16:05:41Z

Pretty sure this is technically an XSS vulnerability on our part
who stops you from using <script> here
(Although not sure what info one could get form the task manager process)

xBZZZZ · 2024-05-12T18:39:14Z

who stops you from using <script>

nothing, scripts also work (alert("hello") freezes task manager but no dialog)

Hendiadyoin1 · 2024-05-12T18:40:43Z

Tested the same in this thread over on discord -> https://discord.com/channels/830522505605283862/830525031720943627/1239251878810751076

Hendiadyoin1 added the security label May 12, 2024

trflynn89 mentioned this issue May 12, 2024

LibWebView: Escape HTML entities in the Task Manager process titles #24298

Merged

ADKaster closed this as completed in #24298 May 12, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Ladybird Task Manager doesn't html escape `process.title` #24293

Ladybird Task Manager doesn't html escape `process.title` #24293

xBZZZZ commented May 12, 2024

Hendiadyoin1 commented May 12, 2024

xBZZZZ commented May 12, 2024

Hendiadyoin1 commented May 12, 2024

Ladybird Task Manager doesn't html escape process.title #24293

Ladybird Task Manager doesn't html escape process.title #24293

Comments

xBZZZZ commented May 12, 2024

Hendiadyoin1 commented May 12, 2024

xBZZZZ commented May 12, 2024

Hendiadyoin1 commented May 12, 2024

Ladybird Task Manager doesn't html escape `process.title` #24293

Ladybird Task Manager doesn't html escape `process.title` #24293