Thread: Firmware Update 5.16.7 out
View Single Post
Old 02-26-2024, 01:49 PM   #28
nabsltd
Evangelist
nabsltd ought to be getting tired of karma fortunes by now.nabsltd ought to be getting tired of karma fortunes by now.nabsltd ought to be getting tired of karma fortunes by now.nabsltd ought to be getting tired of karma fortunes by now.nabsltd ought to be getting tired of karma fortunes by now.nabsltd ought to be getting tired of karma fortunes by now.nabsltd ought to be getting tired of karma fortunes by now.nabsltd ought to be getting tired of karma fortunes by now.nabsltd ought to be getting tired of karma fortunes by now.nabsltd ought to be getting tired of karma fortunes by now.nabsltd ought to be getting tired of karma fortunes by now.
 
Posts: 417
Karma: 6913952
Join Date: Aug 2013
Location: Hamden, CT
Device: Kindle Paperwhite (11th gen), Scribe
Quote:
Originally Posted by GeorgeYellow View Post
This change in 5.6.7 looks mighty suspicious ...

Code:
mesquite/browser/javascripts/fileManager.js   2024-02-09 17:54:56.000000000 -0800

+/*
+ * Changes html content to text content
+ */
+function htmlToText(string) {
+    const div = document.createElement('div');
+    div.appendChild(document.createTextNode(string));
+    return div.innerHTML;
+}
+
 /**
  * Manages Browser file upload and download requests
  */
@@ -30,7 +39,8 @@

         // get dialog message
         var mf = new MessageFormat(b.strings.messages.downloadConfirm);
-        var message = mf.format({ filename: request.filename });
+        var filename = htmlToText(request.filename);
+        var message = mf.format({ filename: filename });
All this is doing is sanitizing a filename for display.

It looks like there was some exploit where the filename contained actual HTML (e.g. "<p>stuff</p>.ext") and this was just appended to the HTML output. Now, it gets converted to text and stuffed into a div (e.g. "<div>&lt;p&gt;stuff&lt;/p&gt;.ext"</div>).
nabsltd is offline   Reply With Quote