Impact
The validation logic that exists in dart:html for creating DOM nodes from text (String instances) was missing checks that allow for cross-site scripting (XSS) attacks using Dom clobbering.
Affected APIs are those that take in a NodeValidator and include the Element.html
constructor, as well as the Element functions setInnerHtml, appendHtml, and insertAdjacentHtml. There are similar APIs on DocumentFragment.
NodeValidator is used to prevent Dom Clobbering Attacks. There are cases where carefully crafting user input can be used to corrupt previousNode or previousSibling on a DOM element to enable a XSS attack.
All Dart SDK releases including and before 2.7.1 and 2.8.0-dev.16.0 are affected.
Patches
If you're using a stable release of Dart, version 2.7.2 or later contain changes that address this vulnerability.
If you're using a dev release of Dart, version 2.8.0-dev.17.0 or later.
Workarounds
If you cannot update the Dart SDK you are using to rebuild your applications, we recommend you review uses of the affected APIs. Pay special attention to cases where user-provided data is used to populate DOM nodes.
Consider using Element.innerText or Node.text to populate DOM elements.
References
An article on DOM clobbering.
For more information
See our community page to find ways to contact the team.
Thanks
Much thanks to Vincenzo di Cicco for finding and reporting this issue!
0xNaN Analyst
Impact
The validation logic that exists in dart:html for creating DOM nodes from text (String instances) was missing checks that allow for cross-site scripting (XSS) attacks using Dom clobbering.
Affected APIs are those that take in a NodeValidator and include the Element.html
constructor, as well as the Element functions setInnerHtml, appendHtml, and insertAdjacentHtml. There are similar APIs on DocumentFragment.
NodeValidator is used to prevent Dom Clobbering Attacks. There are cases where carefully crafting user input can be used to corrupt previousNode or previousSibling on a DOM element to enable a XSS attack.
All Dart SDK releases including and before 2.7.1 and 2.8.0-dev.16.0 are affected.
Patches
If you're using a stable release of Dart, version 2.7.2 or later contain changes that address this vulnerability.
If you're using a dev release of Dart, version 2.8.0-dev.17.0 or later.
Workarounds
If you cannot update the Dart SDK you are using to rebuild your applications, we recommend you review uses of the affected APIs. Pay special attention to cases where user-provided data is used to populate DOM nodes.
Consider using Element.innerText or Node.text to populate DOM elements.
References
An article on DOM clobbering.
For more information
See our community page to find ways to contact the team.
Thanks
Much thanks to Vincenzo di Cicco for finding and reporting this issue!