Re: [whatwg/dom] Declarative Shadow DOM (#831)

> > If we've already found a sanitizing library which has this XSS issue, I'm sure there are dozens if not hundreds of other code that has the same issue, and we would be introducing new XSS vulnerabilities in sites where such code is deployed.
> 
> So you are saying that sites that use XSS sanitizers will have vulnerabilities if they change [or add or let users add] code?

I don't follow what you mean by this.

> Do I miss something or why do sanitizers not drop any unknown tag and their contents for security reasons? To me it looks like people are relying on insecure tools to circumvent XSS, if that is the case. Wrong?

They probably do. But template isn't an unknown tag. It has a well known behavior and has been in the HTML5 specification for ~9 years now.

> Both, implemetation and adoption of declarative shadow dom will take a long time, many month to years, and until then santizater-vendors will have time to fix their santization (including the sanity of dropping elements from the dom, that their sanitizers do not understand). Right?

The trouble here is that as soon as a browser adds the support to it, the users of that browser may experience XSS vulnesrabitliy on a website which doesn't strip away any unknown attributes from a template element because it can behave as a declarative shadow DOM. Sanitizers are known to remove any attributes that start with "on" as they can all be event handlers but I'm not certain that every sanitizer will remove all unknown content attributes. That would be the best practice for sure but so far, we've been very careful not to add any scripting attribute that doesn't start with "on" to be mindful of this issue.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/dom/issues/831#issuecomment-715483075

Received on Friday, 23 October 2020 17:46:50 UTC