Patch for href and src attributes #6
Comments
|
Hey @enzodev, sorry for the late reply. Would you be willing to contribute a patch which does that? This seems easy enough to be done by a volunteer :-) I am wondering if one could or should apply a URL encoding instead |
|
Hello guys, I was about to open new issue, but it seems @enzodev reported the href encoding issues earlier. @freddyb https://freddyb.github.io/html2dom/#%3Cp%3ETest%20me%20%3Ca%20href=%22https://here.com/index.html%22%20target=%22_blank%22%3Eand%20there%3C/a%3E%3C/p%3E Cheers |
|
Hey, @wifiextender. As you may have seen, html2dom isn't a very popular or maintained project :-) |
|
Hello Frederik, It is really hard to mitigate all the possible XSS scenarios. It's misundarstanding that html encoding will solve XSS, as the encoding dissapears when you retrieve the attribute value from DOM element. Imagine that there is a 'form' and it waits for user input: Example 1: var scr = document.createElement("script");
scr.innerText = "<HolyCrap>";Example 2: <form name="one">
<input type="text" name="zname" value="<html2dom encoded>">
</form>
<script>
var x = document.one.zname.value; // now we can execute 'x'
</script>I've spend nearly one month and contributed over 4000 changes in a not-so-popular github project, the person still haven't merged my pull requests and I gave up from further contributions. Since then I do not wish to contribute in projects that are maintained by a single person that ignores pull requests. Given the facts that you work in Mozilla I understand that you don't have enough time to maintain this project. Cheers |
in the function newAttribute you should replace
val = encodeForAttribute(val);
with this one:
if (!((attr == "src") || (attr == "href"))) val = encodeForAttribute(val);
Try html2dom with this string: '< iframe width="420" height="315" src="http://www.youtube.com/embed/anything" frameborder="0" >< /iframe >'
The text was updated successfully, but these errors were encountered: