You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
html2canvas has Trusted Types violation due to use of document.write API which is considered a dangerous sink for XSS. This change fixes that and make html2canvas compatible with Trusted Types.
The usage of document.write in html2canvas is also dangerous in a way that, it might have potential to trigger XSS with DOM Clobbering.
E.g.
<body>
<form name="doctype"></form>
<script>
console.log(document.doctype); // This returns the form above
</script>
</body>
Specifications:
html2canvas version tested with: 1.4.1
Browser & version: Chrome 99
Operating system: Windows 11
The text was updated successfully, but these errors were encountered:
Bug reports:
html2canvas has Trusted Types violation due to use of
document.write
API which is considered a dangerous sink for XSS. This change fixes that and makehtml2canvas
compatible with Trusted Types.The usage of
document.write
inhtml2canvas
is also dangerous in a way that, it might have potential to trigger XSS with DOM Clobbering.E.g.
Specifications:
The text was updated successfully, but these errors were encountered: