Closed Bug 856540 Opened 11 years ago Closed 8 years ago

Add CSP feature to disable innerHTML

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: sicking, Unassigned)

Details

(Whiteboard: [domsecurity-backlog]) 

During the development of gaia we found it to be a very common problem that front-end code would do things like:

element.innerHTML = getData();

where getData() would return untrusted data. The normal features of CSP meant that this wasn't an XSS problem, however it was still a bad attack vector. If nothing else it could enable an attacker to make it impossible for users to see their list of SMSs that they had received.

While the fix is easy, just change innerHTML to textContent, innerHTML is a very ingrained pattern in web development and thus a very common mistake to make.

So it would be great if we could write a CSP policy which caught this. Probably along with .outerHTML and .insertAdjecentHTML().
Paul, that seems Gaia specific as well, can we close this one?
Component: Security → DOM: Security
Flags: needinfo?(ptheriault)
Whiteboard: [domsecurity-backlog]
This issue was fixed by bug 1155131.
We have a linter that disallows innerHTML unless a well-known sanitizer is used.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Flags: needinfo?(ptheriault)
You need to log in before you can comment on or make changes to this bug.