Security/Reviews/B2G/DownloadManager/Security/Reviews/B2G/WebNFC
From MozillaWiki
< Security | Reviews | B2G | DownloadManager
Interfaces with other Apps/Content
The Download Manager API is used within the System and Settings applications only - there are no web activities or other functionality which expose the downloads functionality.
XSS & HTML Injection Attacks
User controlled values are pretty much limited to filename. The filename is displayed in the notifications pull-down as well as the Settings Downloads list. Furthermore, code review of Gaia code revealed that download names are displayed back to the user via the existing Notifications code, which use safe practices (.textContent exclusively) for rendering notification details.