search

weizman / shield

Shield your DOM against clobbering attacks effortlessly
https://weizmangal.com/shield/
MIT License
3 stars 0 forks source link

Clobbering numbers bypasses shield #8

Closed weizman closed 3 months ago

weizman commented 3 months ago

Shield works by redefining the clobbered properties on window, but redefining numeric props is forbidden, so clobbering wins shield -> https://weizmangal.com/shield/?html=%3Cdiv+id%3D123%3E&value=123

Maybe fix by forcing mutation observer to change numeric ids to something that can be redefined (e.g. 123 to a123)

weizman commented 3 months ago

fixed in last commit