fix: Make ARIA polyfill more robust

All the attributes listed in the polyfill already begin with "aria". However, to add extra protection against the possibility of XSS attacks through one of the polyfill's internal methods, this enforces "aria-" at the beginning of the snake-case attribute name, even if somehow "aria" were missing from the input JavaScript attribute name. This change is based on the outcome of an internal security review. Change-Id: Iec8a9cbd5f88fdf4b87da3e5cd058c4ffb69c3ff
joeyparrish · Jul 20, 2021 · b185b3c · b185b3c
1 parent 3270248
commit b185b3c
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/lib/polyfill/aria.js b/lib/polyfill/aria.js
@@ -48,7 +48,13 @@ shaka.polyfill.Aria = class {
    * @private
    */
   static addARIAMixinAttribute_(name) {
-    const snakeCaseName = name.toLowerCase().replace('aria', 'aria-');
+    const baseName = name.toLowerCase().replace(/^aria/, '');
+    // NOTE: All the attributes listed in the method above begin with "aria".
+    // However, to add extra protection against the possibility of XSS attacks
+    // through this method, this enforces "aria-" at the beginning of the
+    // snake-case name, even if somehow "aria" were missing from the input.
+    const snakeCaseName = `aria-${baseName}`;
+
     /* eslint-disable no-restricted-syntax */
     Object.defineProperty(Element.prototype, name, {
       get() {