Add CSP feature to disable innerHTML

RESOLVED FIXED

Status

()

Core
DOM: Security
RESOLVED FIXED
5 years ago
2 years ago

People

(Reporter: sicking, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [domsecurity-backlog])

During the development of gaia we found it to be a very common problem that front-end code would do things like:

element.innerHTML = getData();

where getData() would return untrusted data. The normal features of CSP meant that this wasn't an XSS problem, however it was still a bad attack vector. If nothing else it could enable an attacker to make it impossible for users to see their list of SMSs that they had received.

While the fix is easy, just change innerHTML to textContent, innerHTML is a very ingrained pattern in web development and thus a very common mistake to make.

So it would be great if we could write a CSP policy which caught this. Probably along with .outerHTML and .insertAdjecentHTML().
Paul, that seems Gaia specific as well, can we close this one?
Component: Security → DOM: Security
Flags: needinfo?(ptheriault)
Whiteboard: [domsecurity-backlog]
This issue was fixed by bug 1155131.
We have a linter that disallows innerHTML unless a well-known sanitizer is used.
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
Flags: needinfo?(ptheriault)
You need to log in before you can comment on or make changes to this bug.