Sanitize browsableMessage HTML #16985
Labels
api-breaking-change
p2
https://github.com/nvaccess/nvda/blob/master/projectDocs/issues/triage.md#priority
triaged
Has been triaged, issue is waiting for implementation.
Milestone
Is your feature request related to a problem? Please describe.
ui.browsableMessage
can inject unsanitized HTML into NVDA.This is an issue if translations are passed in as unsanitized HTML.
Translations are fairly unregulated, translation strings are the only "code" included in NVDA without a direct review from NV Access or as a review as a dependency. If NVDA translations can perform RCE, we have a problem.
Considering no NVDA source code uses the
isHTML
functionality of this function currently, this isn't an active vector.However, if we ever start using
isHTML
, it becomes an active vector, which is something we want to avoid and prevent from becoming a possibility.Describe the solution you'd like
nh3
to sanitize HTML passed intobrowsableMessage
.Describe alternatives you've considered
create developer warnings to ensure translations are not passed in as HTML in NVDA core
Additional context
This is an API breaking change as it will require add-on action to perform the same functionality with
browsableMessage
Raised from #16369
The text was updated successfully, but these errors were encountered: