This repository has been archived by the owner on Sep 5, 2018. It is now read-only.
enhancing the secure-handlebars with tag stack for giving warning to <svg> etc. scriptable context. #118
Labels
Milestone
We generally do not support scriptable context in secure-handlebars, as stated in README.md. However, using secure-handlebars still has the advantage over the original one. We now try to warn developers when placeholders are put in scriptable contexts as much as possible.
We're aware of that some scriptable context are not classified as the SCRIPT_DATA state (e.g.,
<svg>
results in DATA state,<iframe srcdoc="">
is an attribute that can also result in script execution (https://github.com/yahoo/secure-handlebars/blob/master/src/handlebars-utils.js#L313)), as defined in the HTML5 specification.To catch all of them for warnings, it's known that we need to further implement a stack to trace the tag hierarchy. Hence, we won't miss those placeholders where their parent's (parent's)+ tagName is scriptable.
(note: right now, we do not give warning to the use of
<iframe srcdoc="">
. it is known issue as mentioned in https://github.com/yahoo/secure-handlebars/blob/master/src/handlebars-utils.js#L313 )The text was updated successfully, but these errors were encountered: