Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged HTML parsing sinks with DOM XSS sinks. #407

Merged
merged 1 commit into from
Jan 16, 2024
Merged

Merged HTML parsing sinks with DOM XSS sinks. #407

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 10 additions & 18 deletions spec/index.bs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -205,31 +205,14 @@ it's not easy to distinguish one from the other.
This document organizes the injection sinks into groups, based on the
capabilities that sinks in a given group have. [=Enforcement=] for groups is controlled via <a>trusted-types-sink-group</a> values.

### HTML injection sinks ### {#html-injection-sinks}

*This section is not normative.*

HTML <a>injection sinks</a> parse input strings into a DOM tree. Since HTML parsers
can create arbitrary elements, including scripts, and set arbitrary attributes,
enabling the [=enforcement=] of any <a>trusted-types-sink-group</a> also implies
enforcing types for HTML injection sinks.

Examples of HTML injection sinks include:

* Functions that parse & insert HTML strings into the document like
{{InnerHTML/innerHTML|Element.innerHTML}},
{{Element/outerHTML|Element.outerHTML}} setter, or {{Document/write|Document.write}}.
* Functions that create a new same-origin {{Document}} with caller-controlled
markup like {{DOMParser/parseFromString()}},

### DOM XSS injection sinks ### {#dom-xss-injection-sinks}

*This section is not normative.*

DOM XSS <a>injection sinks</a> evaluate an input string value in a way that could
result in DOM XSS if that value is untrusted.

Examples of include:
Examples include:

* Setters for {{Element}} attributes that accept a URL of the code to load
like {{HTMLScriptElement/src!!attribute|HTMLScriptElement.src}},
Expand All @@ -238,6 +221,15 @@ Examples of include:
* Functions that execute code directly like `eval`,
* Navigation to 'javascript:' URLs.

Since HTML parsers can create arbitrary elements, including scripts, and set arbitrary attributes,
DOM XSS <a>injection sinks</a> also include HTML parsing sinks:

* Functions that parse & insert HTML strings into the document like
{{InnerHTML/innerHTML|Element.innerHTML}},
{{Element/outerHTML|Element.outerHTML}} setter, or {{Document/write|Document.write}}.
* Functions that create a new same-origin {{Document}} with caller-controlled
markup like {{DOMParser/parseFromString()}}.

Guarding DOM XSS injection sinks is controlled by the <a>trusted-types-sink-group</a> named 'script'.

## Trusted Types ## {#trusted-types}
Expand Down
Loading