dillonfrankeMay 22, 2025
Ivan Fratric
...and now the video of my talk "Finding and Exploiting 20-year-old bugs in Web Browsers" is live too https://www.youtube.com/watch?v=U1kc7fcF5Ao
OffensiveCon25 - Ivan Fratric - Finding and Exploiting 20-Year-Old Bugs in Web Browsers

YouTube
May 20, 2025 at 9:09amWeb
Show threadFrederik Braun �May 20, 2025
@ifsecure Thanks again for sharing this great work :) I remember you mentioned Firefox should disable the `document`function from within the `XSLTProcessor` API. Looks like we already do that as of Firefox 138 (April 29th) https://bugzilla.mozilla.org/show_bug.cgi?id=1953525 🙂
1953525 - Disable the XSLT document() function when called through the XSLTProcessor DOM API

RESOLVED (peterv) in Core - XSLT. Last updated 2025-04-23.

Show threadIvan FratricMay 20, 2025
@freddy Thanks and it was great to meet you in person! I know about that implementation, it's based on the suggestion I made on bug 1951008 (see comment #6) :)
Show threadFrederik Braun �May 21, 2025
@ifsecure Right. But in the talk it seemed like you were recommending it as if it wasn’t there yet.
Show threadIvan FratricMay 21, 2025
@freddy Ah, sorry that it came across like that.
Show threadDaniel ChengMay 22, 2025
@ifsecure sadly, it's not that easy to remove XSLT. In fact, some of the Google style guides even use XSLT :)
Show threadIvan FratricMay 23, 2025
@z 😞