
Prevent data: URLs from being used for XSS - lucasgonze
https://bugzilla.mozilla.org/show_bug.cgi?id=255107
======
lucasgonze
This bug is almost old enough to drive.

I submitted an earlier version of it back in the early 00s and have been CC'd
on the endless procedural back-and-forth ever since. Incredibly, nobody ever
said "we're just not doing it."

One for the book of world records, Oldest Bug category.

------
ataylor32
This reminds me of "MySQL Bug #20786 gets cake":

[https://www.youtube.com/watch?v=oAiVsbXVP6k](https://www.youtube.com/watch?v=oAiVsbXVP6k)

~~~
praseodym
For those who were wondering:
[https://bugs.mysql.com/bug.php?id=20786](https://bugs.mysql.com/bug.php?id=20786)

------
favorited
Ahh the rare self-closing bug. Keep the ticket open long enough, and maybe the
standards group will adopt your behavior!

It's cool that the large browsers had standardized on the same non-standard
behavior. Makes total sense for WHATWG to adopt it, right?

~~~
jancsika
> Keep the ticket open long enough, and maybe the standards group will adopt
> your behavior!

But the description of the spec-fix[1] says it aligns with the behavior of all
the browsers _except_ Firefox.

So how exactly did Firefox come into alignment with the behavior of the other
browsers without there being a patch associated with this bug?

[1]
[https://github.com/whatwg/html/commit/00769464e80149368672b8...](https://github.com/whatwg/html/commit/00769464e80149368672b894b50881134da4602f)

------
ryandrake
Most places I've worked, the older a bug is, the less likely it will ever be
fixed. The reasoning goes "users have lived with it for this long, so it must
not be important." And we have regressions in the code that's about to go out
that have not faced users yet--fix them first.

Has anyone ever successfully argued for going back and fixing ancient bugs,
prioritizing it over fixing more recently-discovered bugs? What argument did
you use?

~~~
jcranmer
Bug age is not a particularly useful metric for determining priority.

In my experience, doing bug triage, old bugs generally fall into a few
categories:

* Feature requests that aren't WONTFIX but so low priority that they'll stay on the bottom of the list forever (e.g., [https://bugzilla.mozilla.org/show_bug.cgi?id=2892](https://bugzilla.mozilla.org/show_bug.cgi?id=2892)).

* Bugs that are impossible to fix in the current architecture, and are too low priority to justify the architectural changes to fix them (e.g., [https://bugzilla.mozilla.org/show_bug.cgi?id=9942](https://bugzilla.mozilla.org/show_bug.cgi?id=9942)).

* Bugs that have too little information to be implemented, and just make everyone who stares at them decide to move onto another bug. These do get cleaned up during periodic deep triages, so I don't have a good 4-digit bug for this.

* Bugs that are political. ([https://bugzilla.mozilla.org/show_bug.cgi?id=540](https://bugzilla.mozilla.org/show_bug.cgi?id=540))

* Bugs that exist in components that never get triage because no one works on that stuff (or the project itself may be dead) ([https://bugzilla.mozilla.org/show_bug.cgi?id=1334](https://bugzilla.mozilla.org/show_bug.cgi?id=1334)).

All citations are rare 4-digit bugs or super-rare 3-digit bugs on Mozilla's
bugzilla instance. I myself have triaged a few of those out of existence, but
I never fixed any of them.

------
jld
Nothing like fixing a bug by changing the spec.

------
esbafb8
14 years ago, it was reported on... Windows XP. PS: I do miss XP.

~~~
dver
I have a VM that I have to fire up every once in a awhile to deal with a
Delphi 7 app if you feel really sentimental.

