- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Fri, 9 Jan 2015 13:14:18 +0100
- To: Boris Zbarsky <bzbarsky@mit.edu>
- Cc: WebApps WG <public-webapps@w3.org>
On Fri, Jan 9, 2015 at 12:29 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote:
> Ok, what about this testcase:
>
> var parent = document.createElement("x-my-element");
> var input = document.createElement("input");
> parent.appendChild(input);
> input.value = "file:///etc/passwd";
> parent.cloneNode(true);
>
> and then in the cloning callback for x-my-element, assuming "newNode" is the
> clone:
>
> newNode.firstChild.type = "file";
>
> That seems to me like it would do the type set before the cloning callback
> for the input runs, right?
Both parent and input need to be cloned in this case. While parent's
callback runs it changes the type of input, at which point input's
callback runs. So, yes.
It's a bit unclear to me why "When an input element's type attribute
changes state" does not sanitize this value in any way though or how
cloning it makes it a security concern.
--
https://annevankesteren.nl/
Received on Friday, 9 January 2015 12:14:45 UTC