Closed Bug 935017 Opened 11 years ago Closed 11 years ago

Disallowed attributes should be removed before inserting the element into the DOM

Categories

(L20n :: JS Library, defect)

Product:
L20n
Component:
JS Library
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: freddy, Assigned: stas)

References

(
URL
)

Details

(Keywords: sec-moderate, wsec-input)

Attachments

(1 file)

Patch
(deleted), patch
zbraniecki
: review+
Details | Diff | Splinter Review
See https://github.com/l20n/l20n.js/blob/master/bindings/l20n/html.js#L315 > if (isElementAllowed(childElement)) { > result.appendChild(childElement); > for (var k = 0, attr; attr = childElement.attributes[k]; k++) { > if (!isAttrAllowed(attr, childElement)) { > childElement.removeAttribute(attr.name); > } > } > continue; > } I recommend moving the `appendChild` call after the for loop. Otherwise a race condition might allow harmful tags to go through for a short time.
Attached patch Patch (deleted) — Splinter Review
Great catch, Freddy, thanks. Gandalf, can you take a look at this simple patch?
Assignee: nobody → stas
Status: NEW → ASSIGNED
Attachment #827417 - Flags: review?(gandalf)
Attachment #827417 - Flags: review?(gandalf) → review+
Landed: https://github.com/l20n/l20n.js/commit/f641938b0bd296b086442b1c8b11767e372a4d42
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Verified
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: