Skip to content
This repository has been archived by the owner on Sep 5, 2018. It is now read-only.

enhancing the secure-handlebars with tag stack for giving warning to <svg> etc. scriptable context. #118

Open
neraliu opened this issue Jul 7, 2015 · 0 comments

Comments

@neraliu
Copy link
Contributor

neraliu commented Jul 7, 2015

We generally do not support scriptable context in secure-handlebars, as stated in README.md. However, using secure-handlebars still has the advantage over the original one. We now try to warn developers when placeholders are put in scriptable contexts as much as possible.

We're aware of that some scriptable context are not classified as the SCRIPT_DATA state (e.g., <svg> results in DATA state, <iframe srcdoc=""> is an attribute that can also result in script execution (https://github.com/yahoo/secure-handlebars/blob/master/src/handlebars-utils.js#L313)), as defined in the HTML5 specification.

To catch all of them for warnings, it's known that we need to further implement a stack to trace the tag hierarchy. Hence, we won't miss those placeholders where their parent's (parent's)+ tagName is scriptable.

(note: right now, we do not give warning to the use of <iframe srcdoc="">. it is known issue as mentioned in https://github.com/yahoo/secure-handlebars/blob/master/src/handlebars-utils.js#L313 )

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

1 participant