-
Notifications
You must be signed in to change notification settings - Fork 80
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Possible to bypass XSS filter with nodeNS #168
Comments
This is close, but not quite what the issue is. Compare nodeNS : String -> String -> List (Attribute msg) -> List (Node msg) -> Node msg
nodeNS tag =
Elm.Kernel.VirtualDom.nodeNS (Elm.Kernel.VirtualDom.noScript tag) …with keyedNodeNS : String -> String -> List (Attribute msg) -> List ( String, Node msg ) -> Node msg
keyedNodeNS namespace tag =
Elm.Kernel.VirtualDom.keyedNodeNS namespace (Elm.Kernel.VirtualDom.noScript tag)
nodeNS : String -> String -> List (Attribute msg) -> List (Node msg) -> Node msg
nodeNS namespace tag =
Elm.Kernel.VirtualDom.nodeNS namespace (Elm.Kernel.VirtualDom.noScript tag) |
Seems there is just just a little mistake made by @evancz. |
Fixed in 9a389f8 which should be published shortly with version |
SSCCE: Ellie
The user John J on Slack found it, he had this research. Slack link
The crux of it seems to be that
nodeNS
arguments are swapped between Elm and JS, on the elm side the tag is the first argument passed intonodeNS
. Link to codeBut on the JS side it is expecting the tag as the second argument
The text was updated successfully, but these errors were encountered: