search

w3c / trusted-types

A browser API to prevent DOM-Based Cross Site Scripting in modern web applications.
https://w3c.github.io/trusted-types/dist/spec/
Other
586 stars 68 forks source link

Add script protection mechanisms to SVGScriptElement #524

Open lukewarlow opened 2 weeks ago

lukewarlow commented 2 weeks ago

Addresses #483

Preview | Diff

lukewarlow commented 2 weeks ago

I've rebased this atop the parser PR so I can account for everything SVG in one PR.

annevk commented 2 weeks ago

Wouldn't it be better to handle HTML and SVG script at the same time?

lukewarlow commented 2 weeks ago

Wouldn't it be better to handle HTML and SVG script at the same time?

Perhaps but they're pretty distinct from each other spec wise. This PR adds the "script text" and parser handling to svg script element that HTML script has. The only bit this PR is missing is actually doing the enforcement. I'm not sure how best to go about that due to the fact that SVG doesn't have a "prepare the script" method definition.

525 will account for the more complicated parser stuff in one go for both SVG and HTML.