[tor-bugs] #18679 [Tor Browser]: javascript: hrefs don't run at medium-high security level, even on an HTTPS page
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Mar 29 17:55:01 UTC 2016
#18679: javascript: hrefs don't run at medium-high security level, even on an HTTPS
page
-----------------------------+----------------------
Reporter: dcf | Owner: tbb-team
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Tor Browser | Version:
Severity: Normal | Keywords:
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
-----------------------------+----------------------
On this page, at the medium-high security level, the "Enter promotional
code" link doesn't work. It's supposed to cause another DOM element to
become visible.
https://www.eventbrite.com/e/rightscon-silicon-
valley-2016-tickets-19158023163
It's because the link, rather than using an onclick handler or something,
uses a javascript: URL in the href:
{{{
<a href="javascript: Hide('discountDiv1'); Show('discountDiv');">Enter
promotional code</a>
}}}
They use the same technique for some other buttons, which are also broken.
The JS actually works, as I can paste it into the browser console and it
does what it's supposed to do.
It works if I reduce the security level to medium-low, so I suspect it's
caused by Tor Browser not considering the javascript: URL to be in an
HTTPS context or something.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18679>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list