-
Notifications
You must be signed in to change notification settings - Fork 775
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bug: TypeError on Setting 'innerHTML': 'TrustedHTML' Assignment Required #5206
Comments
Thanks for the issue! This issue has been labeled as In the meantime, please read our 2023 Winter Holiday Triage Guide for information on how to ensure that your issue is triaged correctly. Thank you! |
This commit addresses security and performance concerns associated with using `innerHTML` for injecting CSS into `<style>` elements in `bootstrap-lazy.ts`. By switching to `textContent`, the risk of executing malicious scripts is mitigated and performance is improved due to the avoidance of HTML parsing. This change enhances the security and efficiency of Stencil's component initialisation process, particularly in environments with strict security policies like browser extensions, without impacting functionality in standard web applications. fixes: ionic-team#5206 Signed-off-by: Theodore GARSON <theodore.corbeaux@gmail.com>
Hey @TheodoreGC 👋 Thanks for the report! It looks like this was created using an older version of our bug report template. Can you please add the following information to the issue summary for me? This helps us triage/understand issues much more efficiently.
Thanks! |
Thanks for the issue! This issue has been labeled as Please reproduce this issue in an Stencil starter component library and provide a way for us to access it (GitHub repo, StackBlitz, etc). Without a reliable code reproduction, it is unlikely we will be able to resolve the issue, leading to it being closed. If you have already provided a code snippet and are seeing this message, it is likely that the code snippet was not enough for our team to reproduce the issue. For a guide on how to create a good reproduction, see our Contributing Guide. |
Hey @rwaskiewicz 👋, Thank you for the guidance. I've updated the bug report with the additional information you requested. Here's a quick summary:
Thanks again for your assistance! |
Hey @TheodoreGC - can you please provide some additional information for us?
Thanks! |
Hey @rwaskiewicz, Thanks for reaching out. I've updated the GitHub repository to include the full project of the web component. This should give a clearer picture. Additionally, I've revised the README to provide detailed instructions on how to install the component. This will help in setting up the environment for testing and reproducing the issue. Regarding the browsers, I've tested this behaviour on the following:
I hope this information helps. Let me know if you need anything else. Thanks! |
Thanks! I've validated that this is a bug, and I've ingested this into our backlog. I'll see if we can get the PR reviewed soon - there's a couple mixed usages of |
Hey @TheodoreGC, just set your PR to merge, so it will be included in the next release of Stencil. We'll be sure to ping here when that gets released! |
#5207) * fix(runtime): replace `innerHTML` with `textContent` for CSS injection This commit addresses security and performance concerns associated with using `innerHTML` for injecting CSS into `<style>` elements in `bootstrap-lazy.ts`. By switching to `textContent`, the risk of executing malicious scripts is mitigated and performance is improved due to the avoidance of HTML parsing. This change enhances the security and efficiency of Stencil's component initialisation process, particularly in environments with strict security policies like browser extensions, without impacting functionality in standard web applications. fixes: #5206 Signed-off-by: Theodore GARSON <theodore.corbeaux@gmail.com> * Update bootstrap-lazy.ts --------- Signed-off-by: Theodore GARSON <theodore.corbeaux@gmail.com> Co-authored-by: Alice Pote <alice.writes.wrongs@gmail.com> Co-authored-by: Alice Pote <alice.octavia.pote@gmail.com>
A fix for this has been published in v4.12.3. |
Stencil version:
Current behavior:
When attempting to inject a web component, built using Stencil, into a webpage via a browser extension's content script, an error is encountered:
Expected behavior:
The process of injecting a Stencil-generated web component into a webpage through a browser extension's content script should occur seamlessly, without triggering any errors related to content security policies or HTML trust requirements.
Other information:
This issue arises due to Stencil's bootstrap process for components, which relies on the
innerHTML
method. This method can be considered unsafe in the context of Chrome extensions, leading to stricter security checks and the resulting error.stencil/src/runtime/bootstrap-lazy.ts
Line 197 in a69b4d6
stencil/src/runtime/bootstrap-lazy.ts
Line 202 in a69b4d6
The error encountered indicates a conflict with the Content Security Policy (CSP) typically enforced in browser extensions. CSP aims to mitigate risks associated with cross-site scripting (XSS) and data injection attacks, which are particularly sensitive in the context of extensions that have elevated access to the user's browser.
As a proposed solution, replacing innerHTML with textContent in these contexts could mitigate the issue. textContent is generally considered a safer alternative and aligns well with the security requirements of browser extensions. An example substitution could be as follows:
Rationale for prefering
textContent
overinnerHTML
here:<style>
Elements: In the case of appending CSS to<style>
elements, the switch frominnerHTML
totextContent
carries no functional drawbacks for classical web applications. Since the content being manipulated is CSS (a form of text), and not HTML, there are no functional disadvantages to usingtextContent
overinnerHTML
. Both methods effectively achieve the same result when used to update the content of<style>
elements.In the specific scenario of appending CSS to
<style>
elements within Stencil's component initialisation process, the adoption oftextContent
is not only a security enhancement but also aligns with best practices for performance and code clarity. This change would positively impact both browser extensions and traditional web applications, without any loss of functionality or capability.System Info:
Code Reproduction URL:
Stencil Bug Reproduction Repository
Steps to Reproduce:
The steps to reproduce the issue can be found here
The text was updated successfully, but these errors were encountered: