Comments (10)
I agree, we need to work around that problem. We kinda saw it coming... #64 (comment) :)
from dompurify.
This is the PR we should have a look at: #70 The issue itself is minor indeed so we're not in a hurry.
from dompurify.
@filedescriptor I am not 100% sure if we should fix this issue. The problem affects an outdated browser and requires an attacker to have access to an Iframe's src attribute on the target page.
We could implement a type check and make sure that MozNamedNodeMap
is of type function
and not object
as the attacker would clobber it with window
. But then again, is it really a feasible attack?
from dompurify.
@filedescriptor My tests further sowed that this attach doesn't seem to be possible using (cross-origin) redirects. So an attacker cannot seem to e.g. provide a legitimate URL, then redirect, then clobber MozNamedNodeMap
and then deactivate DOMPurify. Or am I missing something? Thoughts are welcome :)
from dompurify.
@cure53 typeof MozNamedAttrMap is "object"
Since jsdom does not implement MozNamedAttrMap
, you could use Object.prototype.toString() for that one specifically (I have not checked if this works properly in FF22-34, but I can test it if you want).
from dompurify.
I just chatted with @filedescriptor and we concluded that it is not an exploitable issue for now. The problem only appears when the Iframe's URI can be attacker controlled directly. Redirects do not work. Closing this for now.
from dompurify.
So I had a look and it seemed that FF 23 or below may be vulnerable to this attack. The main thing is that in older FF we can clobbering iframe without it being same-origin. FF 24 and after changed its behavior.
from dompurify.
You would still have to do the clobbering before the purify library loads, since the value is cached. We also presume that you haven't clobbered the document before purify loads.
from dompurify.
Yeah I already mentioned that, though it is not totally impossible. I haven't checked DOMPurify for a while and didn't notice now we rely on document not being polluted before the library loads (we used to check a bunch of types to ensure them not being clobbered in the first place).
from dompurify.
I think one of the core points here is:
A website might load an Iframe from a third-party domain. If that Iframe could redirect to data URI and then use this to clobber, we'd have a major issue. Since this is only the case in legacy FF, we should be good here.
So, in summary, I am good with the "wontfix" unless additional concerns pop up.
from dompurify.
Related Issues (20)
- Title: Sanitization removes valid iframe attributes and changes attribute order HOT 8
- Fix for bug in demo hooks-sanitize-css-demo.html HOT 3
- Sanitization Issue: Comments Removed Despite ADD_TAGS Configuration HOT 8
- Sanitization Issue with DomPurify HOT 3
- New release v3.1.0 (not in releases) HOT 1
- How do I use the API provided by DomPurify to verify the SVG file is it risky? HOT 1
- Sanitize returns empty string when PARSER_MEDIA_TYPE: application/xhtml+xml and void tags HOT 4
- DOMPurify and Trusted Types - Clarification to Docs HOT 9
- when using bypasssecurityTrustHtml mthod to render template HOT 3
- Exception when passing 0 or "" or null to Dompurify.Sanitize Method HOT 2
- Use lower case for bower package name HOT 1
- Uncertain how to handle 'non-standard' HTML HOT 3
- Need to block external calls, e.g. all HTTP requests HOT 7
- Why does name="name" on an input field get purified? HOT 1
- Exception when passing 0 or "" or null to Dompurify.Sanitize Method #947 HOT 3
- Latest versions of DOMPurify 2.5.x block custom SVG elements when they are set via ADD_TAGS config. HOT 6
- release 3.1.3 assets are the same as 3.1.2 HOT 1
- Number.isNaN is not supported in MSIE HOT 15
- Bower issues : DOMPurify is not defined HOT 5
- HTML and BODY tags are being regardless of `ALLOWED_TAGS` settings HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dompurify.