sanitize urls: svg/xlink href, formaction, and data: on iframe/object#21442
Open
rootvector2 wants to merge 5 commits into
Open
sanitize urls: svg/xlink href, formaction, and data: on iframe/object#21442rootvector2 wants to merge 5 commits into
rootvector2 wants to merge 5 commits into
Conversation
simplify checkURI to inline the tag normalization, and bring in the other open sanitization gaps so they live behind the same tag/attribute matching: - formaction on button/input - data: protocol on iframe[src] and object[data] - strip ascii tab/newline/cr before the fastboot url protocol check
Author
rootvector2
changed the title
Author
|
Folded the Click the box and on a released Glimmer it fires; with this PR the href comes back as |
johanrd
reviewed
Jun 3, 2026
|
|
||
| function checkURI(tagName: Nullable<string>, attribute: string): boolean { | ||
| return (tagName === null || has(badTags, tagName)) && has(badAttributes, attribute); | ||
| // SVG element tagNames are lowercase (e.g. `a`), so they never match the |
Contributor
There was a problem hiding this comment.
nitpick for the comment wording: SVG tagNames are case-preserved (e.g. linearGradient, clipPath, foreignObject),
– just comment wording, does not affect logic/correctness, as a just happens to be lowercase, and a is the only SVG element in badTags
Author
There was a problem hiding this comment.
good catch, reworded it. a is the only one in the list and it happens to be lowercase, but the comment shouldn't imply that's true of svg tagNames in general.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Consolidates the open URL-sanitizer fixes into one PR (per review). Each change closes a way an attacker-controlled value can reach a dangerous protocol that the sanitizer currently misses.
checkURI/checkDataURImatchedelement.tagNameagainst the uppercasebadTagslist, but SVG tagNames come through lowercase (a), so<a href={{value}}>inside an<svg>skipped thejavascript:/vbscript:check. Normalization now happens insidecheckURI/checkDataURIso it is single-sourced. Also addedxlink:hrefto the attribute list, since that is the SVG href alias and was not covered at all.button[formaction]andinput[formaction]submit to their URL, so ajavascript:value there executes. AddedBUTTON/INPUTtobadTagsandformactionto the attribute list.data:URL in these loads as a nested document and can run script. Added adata:-protocol check foriframe/object.java\nscript:runs asjavascript:. The fastbooturl.parsepath kept those chars and reported a null protocol, slipping past the check. Strip them there to match the WHATWGURLparser used on the browser path.Tests added for each case except the tab/newline strip, which only runs on the fastboot
url.parsepath (the browserURLparser already strips those chars, so no integration path exercises it).Reproductions on limber for each case are in the comment below.