Security researcher Roberto Suggi Liverani
reported that ParanoidFragmentSink
, a class used to
sanitize potentially unsafe HTML for display,
allows javascript:
URLs and other inline JavaScript when
the embedding document is a chrome document. While there are no
unsafe uses of this class in any released products, extension code
could have potentially used it in an unsafe manner.