search

alphagov / govuk_publishing_components

A gem to document and distribute frontend components for GOV.UK applications
https://components.publishing.service.gov.uk
MIT License
65 stars 20 forks source link

Possible injection if axe warning has HTML #736

Closed NickColley closed 5 years ago

NickColley commented 5 years ago

If you wrap the tag component's text with <marquee> it'll also apply to the axe warning since the output has HTML in the markup.

NickColley commented 5 years ago

We could solve this by constructing this DOM with document.createElement and textNode.textContent which'll stop raw HTML from being rendered.

https://github.com/alphagov/govuk_publishing_components/blob/master/app/assets/javascripts/component_guide/accessibility-test.js#L136

barrucadu commented 5 years ago

Here's a reproduction:

<%= tag.div class: "gem-c-tag" do %>
  <marquee><%= text %></marquee>
<% end %>

Maybe the most surprising lesson here is that Chrome still supports <marquee>.