Skip to content
This repository has been archived by the owner on Feb 2, 2021. It is now read-only.

SecurityAdvisory20190606

Kevin Reid edited this page Jun 6, 2019 · 1 revision

Background

When guest HTML contains an element that is not permitted by Caja's whitelist, it is renamed to a custom element (e.g. <title> becomes <caja-v-title>) so that it may exist in the DOM without having any of the side effects of the original name. However, such renaming could change how the text content of the element is parsed — in particular, if the old name was a "raw text" or "CDATA" element in which the content may contain < characters interpreted as text rather than markup. In this case, the result of the renaming is that the HTML passed to the browser contains unfiltered markup.

Impact and Advice

This is a complete breach of the Caja DOM sandbox. Applications of Caja which provide a DOM to the guest should immediately upgrade to Caja v6014 or later.

Applications of Caja which do not provide a DOM to the guest are not affected.

Applications of the standalone html-sanitizer which utilize tag renaming are also potentially affected and will be protected by the update.

Clone this wiki locally