Insecure form action in xref

About this bulletin board and the Pale Moon website

Moderators: FranklinDM, Lootyhoof

User avatar
jobbautista9
Keeps coming back
Keeps coming back
Posts: 782
Joined: 2020-11-03, 06:47
Location: Philippines
Contact:

Insecure form action in xref

Unread post by jobbautista9 » 2023-03-11, 13:26

I've been noticing this for a long while now, and I don't know why I didn't report this. But now I'm doing it. :P

When you enter something in the Search for: box from the directory view (like https://xref.palemoon.org/goanna-central/source/), the browser gives me a security warning prompt. Looking at the HTML source code it looks like the form submit is in plain http:

Code: Select all

<body   bgcolor="#FFFFFF" text="#000000"
	link="#0000EE" vlink="#551A8B" alink="#FF0000">

<!-- <table class=banner bgcolor="#000000" width="100%" border=0 cellpadding=0 cellspacing=0>
<tr><td><a class="logo" href="//www.mozilla.org/"><img
 src="//www.mozilla.org/images/mozilla-banner.gif" alt=""
 border=0 width=600 height=58></a></td></tr></table> -->

<table class=header border=0 cellpadding=12 cellspacing=0 width="100%">
 <tr>
  <td align=left valign=middle>
   <nobr><font size="+2"><b><a href="/">Cross-Reference</a></b>
<i><a href="http://xref.palemoon.org/goanna-central">goanna-central</a></i>
</font></nobr>
   <br><b><a href="/goanna-central/source/">source</a>/ </b>
  </td>




 </tr>
</table>

<p>
<form action="http://xref.palemoon.org/goanna-central/search">
<input type=hidden name=find value="/">
<b>Search for:</b> <input name=string id=string> within this directory
<input type=submit value="search">
</form>
</p>

<form name='source' id='source' class='beforecontent'
>view using tree:
<select name='tree' id='tree' onchange='changetarget("http://xref.palemoon.org/goanna-central/", "goanna-central/")'>
<option value="goanna-central" selected=1>goanna-central</option>
<option value="mozilla-central">mozilla-central</option>
<option value="palemoon-rel26">palemoon-rel26</option>
<option value="palemoon-rel27">palemoon-rel27</option>
<option value="palemoon-rel28">palemoon-rel28</option>

</select></form>
(And yes I've confirmed with a clean profile of Basilisk that it's not my stupid greasemonkey script mangling with the HTML, besides my script only affects anchor tags)

Since xref is always https, can the links be turned into protocol-agnostic ones so that the security warning will not be triggered? Thanks!
Image

merry mimas

XUL add-ons developer. You can find a list of add-ons I manage at http://rw.rs/~job/software.html.

Mima avatar by 絵虎. Pixiv post: https://www.pixiv.net/en/artworks/15431817

Image

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35477
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Insecure form action in xref

Unread post by Moonchild » 2023-03-11, 14:09

It should automatically detect http and https and adjust form URLs appropriately. I'm not sure why, in that particular template, it doesn't...
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

Locked