- From: Domenic Denicola <notifications@github.com>
- Date: Wed, 02 Mar 2022 17:23:49 -0800
- To: whatwg/dom <dom@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/dom/issues/849/1057566854@github.com>
For others who weren't aware of mXSS, it [apparently](https://www.nds.rub.de/media/emma/veroeffentlichungen/2013/12/10/mXSS-CCS13.pdf) is about malicious users supplying strings which are stored in a database, and then passed to `innerHTML`, such that they create unexpected effects because `x.innerHTML = y; x.innerHTML` doesn't always return `y`. (Because the parse/serialize roundtrip mutates the input.)
So I guess the relevance here is, if someone does
```js
const el = document.createElement(userSuppliedString);
await storeInServer(el.outerHTML);
// ... later ...
const html = await getFromServer();
container.innerHTML = html;
```
and `userSuppliedString` is `p><script>alert(1);</script`, then `el.outerHTML` would end up as `<p><script>alert(1);</script></p><script>alert(1);</script>`. That is indeed bad!
If we disallow tab, LF, CR, FF, space, /, >, NULL, then nothing immediately sticks out to me as problematic. But I worry that I'm just not doing enough security analysis. It would be a shame if this simplification fix ended up causing everyone security problems.
From that perspective, the https://github.com/whatwg/dom/issues/849#issuecomment-1007541209 should be generally safer. It would make `document.createElement(userSuppliedString)` as dangerous as it currently is, plus the danger of `el.innerHTML = `<${userSuppliedString}>`. Which seems manageable.
Hmm.
--
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/dom/issues/849#issuecomment-1057566854
You are receiving this because you are subscribed to this thread.
Message ID: <whatwg/dom/issues/849/1057566854@github.com>
Received on Thursday, 3 March 2022 01:24:01 UTC