html_sanitize expects a string

ejayimperial / google-caja

Automatically exported from code.google.com/p/google-caja

0 stars 0 forks source link

html_sanitize expects a string #40

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago

    <div id="output">Hi</div>
    <script type="text/javascript">
   var o ={ match: function() {
                return new Array(
                    {
                        length:0,
                        toString:function(){
                            return 'unsanitized control over innerHTML';
                        }
                    }
                );
            },
            substring: function() { return ''; }
          };
   document.getElementById("output").innerHTML= o;
</script>

Original issue reported on code.google.com by metaw...@gmail.com on 18 Jan 2008 at 1:29

GoogleCodeExporter commented 9 years ago

Note that the stuff returned by toString isn't sanitized!  I can put arbitrary
code/flash/whatever in there.  It's direct access to setInnerHTML.

Original comment by metaw...@gmail.com on 18 Jan 2008 at 1:38

GoogleCodeExporter commented 9 years ago

And what container are you using?  What's providing the implementation of the
innerHTML setter?

Original comment by mikesamuel@gmail.com on 18 Jan 2008 at 5:04

GoogleCodeExporter commented 9 years ago

The shindig container.

Original comment by metaw...@gmail.com on 18 Jan 2008 at 4:12

GoogleCodeExporter commented 9 years ago

Original comment by erights on 28 Jan 2008 at 8:03

Changed state: Fixed
Added labels: Priority-High
Removed labels: Priority-Medium