Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Comply with Trusted Types #2846

Open
wants to merge 14 commits into
base: master
Choose a base branch
from
Open

Comply with Trusted Types #2846

wants to merge 14 commits into from

Conversation

shhnjk
Copy link

@shhnjk shhnjk commented Feb 25, 2022
edited
Loading

Summary

html2canvas has Trusted Types violation due to use of document.write API which is considered a dangerous sink for XSS. This change fixes that and make html2canvas compatible with Trusted Types.

Fixes: #2858

Test plan (required)

Existing test should be sufficient as there is no change in the functionality. There should be a test to check for Trusted Types violation, but existing test.js has multiple Trusted Types violation, so I wasn't able to use that infra.

@tosmolka
Copy link

tosmolka commented Jul 4, 2022

@shhnjk , what about this fix - ac3e5fa - so that we avoid maintaining TT policy? Thanks.

@shhnjk
Copy link
Author

shhnjk commented Jul 5, 2022

@tosmolka, have you checked if your solution actually picks up things like internalSlot or publicId from DocType? If that works, I think your solution is elegant :)

@tosmolka
Copy link

@shhnjk , from my tests it works well with name, publicId and systemId (https://dom.spec.whatwg.org/#concept-doctype).

I don't think it works with internalSubset in newer browsers but that's expected as this property was deprecated and is no longer supported there.

@shhnjk
Copy link
Author

shhnjk commented Jan 12, 2023

@niklasvh could you take a look? Thanks!

nangelina added a commit to artificialonlinesao/html2canvas that referenced this pull request Feb 9, 2024
@nangelina
see pr: niklasvh#2846
95ea260
nangelina added a commit to artificialonlinesao/html2canvas that referenced this pull request Feb 9, 2024
@nangelina
Revert "see pr: niklasvh#2846"
6248c5a 
This reverts commit 95ea260.
nangelina added a commit to artificialonlinesao/html2canvas that referenced this pull request Feb 9, 2024
@nangelina
Revert "see pr: niklasvh#2846" because it breaks on prod even if it l…
55e3c1a 
…ooks fine on local

This reverts commit 95ea260.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support Trusted Types and escape HTML special characters
2 participants
@shhnjk @tosmolka