Skip to content

Commit

Permalink
Upstream http://cl/397536696
Browse files Browse the repository at this point in the history
  • Loading branch information
@bicknellr
bicknellr committed Apr 27, 2022
1 parent 4a85c7f commit 2445554
Showing 1 changed file with 7 additions and 9 deletions.
16 changes: 7 additions & 9 deletions lib/utils/html-tag.js
View file
Expand Up @@ -68,15 +68,13 @@ function literalValue(value) {
*/
function htmlValue(value) {
if (value instanceof HTMLTemplateElement) {
// Use the XML serializer to avoid xMSS attacks from browsers' sometimes
// unexpected formatting / cleanup of innerHTML.
const serializedNewTree = new XMLSerializer().serializeToString(
/** @type {!HTMLTemplateElement } */ (value));
// The XMLSerializer is similar to .outerHTML, so slice off the leading
// and trailing parts of the <template> wrapper tag.
return serializedNewTree.slice(
serializedNewTree.indexOf('>') + 1,
serializedNewTree.lastIndexOf('</'));
// This might be an mXSS risk – mainly in the case where this template
// contains untrusted content that was believed to be sanitized.
// However we can't just use the XMLSerializer here because it misencodes
// `>` characters inside style tags.
// For an example of an actual case that hit this encoding issue,
// see b/198592167
return /** @type {!HTMLTemplateElement } */(value).innerHTML;
} else if (value instanceof LiteralString) {
return literalValue(value);
} else {
Expand Down

0 comments on commit 2445554

Please sign in to comment.