Re: [whatwg/dom] Declarative Shadow DOM (#831) from Mason Freed on 2020-10-22 (public-webapps-github@w3.org from October 2020)

From: Mason Freed <notifications@github.com>
Date: Thu, 22 Oct 2020 08:31:41 -0700
To: whatwg/dom <dom@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/dom/issues/831/714575403@github.com>

Thanks for all of the supportive comments here.

> Not off the top of my head. I don't think it's easy to add one without some kind of new HTML mode and/or not allowing to appear anywhere template can appear. This is a tricky issue I'd say. One way to mitigate this issue is to punt the parser behavior and just go with `shadow` element.

Using the `<shadow>` element wouldn't mitigate this **at all**. The concern is fundamental - any declarative shadow dom mechanism of any kind will suffer from this issue, by design. Why do you think `<shadow>` mitigates things?

This is easily fixed using `importNode()`. DOMPurify (one of the largest client side sanitizers) is already patched, and its maintainer [agrees](https://github.com/whatwg/dom/issues/831#issuecomment-714282410) that this is just another bypass that needs to be patched.

> 
> > I don’t think we should be handcuffed for all future Web features by the oldest sanitizer library currently in use.
> 
> We're already there given we're using template element partially due to the XSS concern associated with the parser behavior change.

I agree, and there are many resulting complaints that streaming isn't supported as a result. Let's not go further and eliminate the feature entirely.


> To my understanding, declarative shadow DOM might also affect server-side sanitizers that parse HTML. Server-side injection producing HTML with node (which used to be secure because `<template>` was inert since its inception) can now cause XSS. Have you explored that?

Hmm, that's true. The server-side itself should still be safe, since server-side sanitizers don't (typically) use the DOM APIs for parsing. But it's true that they need to understand `<template shadowroot>` enough to parse the contents, and not skip the entire sub-tree. It would surprise me if existing sanitizers did skip entire subtrees anyway, as that seems risky. But @leizongmin and @apostrophecms, might you be able to answer this question for js-xss and sanitize-html?

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/dom/issues/831#issuecomment-714575403

Received on Thursday, 22 October 2020 15:31:53 UTC