Closed
Bug 856540
Opened 12 years ago
Closed 9 years ago
Add CSP feature to disable innerHTML
Categories
(Core :: DOM: Security, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: sicking, Unassigned)
Details
(Whiteboard: [domsecurity-backlog])
During the development of gaia we found it to be a very common problem that front-end code would do things like: element.innerHTML = getData(); where getData() would return untrusted data. The normal features of CSP meant that this wasn't an XSS problem, however it was still a bad attack vector. If nothing else it could enable an attacker to make it impossible for users to see their list of SMSs that they had received. While the fix is easy, just change innerHTML to textContent, innerHTML is a very ingrained pattern in web development and thus a very common mistake to make. So it would be great if we could write a CSP policy which caught this. Probably along with .outerHTML and .insertAdjecentHTML().
Comment 1•9 years ago
|
||
Paul, that seems Gaia specific as well, can we close this one?
Component: Security → DOM: Security
Flags: needinfo?(ptheriault)
Whiteboard: [domsecurity-backlog]
Comment 2•9 years ago
|
||
This issue was fixed by bug 1155131. We have a linter that disallows innerHTML unless a well-known sanitizer is used.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Updated•9 years ago
|
Flags: needinfo?(ptheriault)
You need to log in
before you can comment on or make changes to this bug.
Description
•