Open
Bug 974212
Opened 10 years ago
Updated 2 years ago
innerHTML getter: comments containing ">" should not become dangerous
Categories
(Core :: DOM: Core & HTML, defect, P5)
Tracking
()
NEW
People
(Reporter: jruderman, Unassigned)
References
()
Details
(Keywords: testcase)
Attachments
(1 file)
|
258 bytes,
text/html
|
Details |
> var v = document.createElement("div");
> v.appendChild(document.createComment("1>"));
> v.innerHTML
Result: <!--1<-->
Expected: truncate the comment, omit/replace/escape the '<', or even throw.
|
Reporter | |
Updated•10 years ago
|
Summary: innerHTML getter: comments containing ">" should become dangerous → innerHTML getter: comments containing ">" should not become dangerous
|
||
Comment 1•10 years ago
|
||
Spec issue, yes?
|
||
Comment 2•10 years ago
|
||
AngularJS is affected by this as well: http://code.google.com/p/mustache-security/wiki/AngularJS#mXSS_via_HTML_Import
|
|
Reporter | |
Comment 3•10 years ago
|
||
This does appear to be a spec issue: http://www.whatwg.org/specs/web-apps/current-work/multipage/the-end.html#html-fragment-serialization-algorithm
|
||
Comment 4•10 years ago
|
||
Presumably this is an issue for ProcessingInstruction too. However, is this something we want to fix? The "attack" works across browsers...
|
|
Reporter | |
Comment 5•10 years ago
|
||
Yes, it should be fixed in all browsers. Why do you write "attack" in quotes?
|
|
||
Comment 6•10 years ago
|
||
Because various bits of the DOM not being serialization safe is known.
E.g. if instead of your comment you had
var comment = document.createElementNS("test", "img");
comment.setAttribute("onerror", "alert('doh')")
comment.setAttribute("src", "/")
you might think it was safe because it's a different namespace, but it wouldn't be.|
|
Reporter | |
Comment 7•10 years ago
|
||
Maybe we should fix that too. But I don't think it's especially relevant to comment serialization, which affects at least one popular library and causes *other parts* of the DOM to be completely wrong.
|
||
Comment 8•10 years ago
|
||
I'd be OK with making document.createComment() throw if the argument contains "-->" if the DOM spec changes to say so. (In reply to Mario Heiderich from comment #2) > AngularJS is affected by this as well: > > http://code.google.com/p/mustache-security/wiki/ > AngularJS#mXSS_via_HTML_Import The advice there is incomplete. The page should say that foo.innerHTML += "bar" is a bug pattern. Don't use += with innerHTML. Use insertAdjacentHTML() instead.
|
|
||
Comment 9•10 years ago
|
||
Is that web-compatible? Would be easy enough to change the specification to require that.
|
|
||
Comment 10•10 years ago
|
||
(In reply to Anne (:annevk) from comment #9) > Is that web-compatible? Dunno. We could add telemetry to check for frequency of occurrence, but we can't use telemetry to find out who the offenders (if any) are, because privacy.
|
||
Comment 11•6 years ago
|
||
https://bugzilla.mozilla.org/show_bug.cgi?id=1472046 Move all DOM bugs that haven’t been updated in more than 3 years and has no one currently assigned to P5. If you have questions, please contact :mdaly.
Priority: -- → P5
|
Assignee | |
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•