Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

use textContent instead of innerHtml, preventing XSS #3816

Conversation

@tanhauhau
Copy link
Member

tanhauhau commented Oct 28, 2019

Fixes #3813

Added a new concept here, is_static_content besides the can_use_innerhtml

to differentiate cases where we can use innerHtml:

  • no mustache tags
  • logic blocks, if, each, etc

and cases where the content is static:

  • no dynamic dependencies
  • only mount, will not need to handle changes.
@tanhauhau tanhauhau mentioned this pull request Oct 28, 2019
0 of 4 tasks complete
@Rich-Harris Rich-Harris merged commit 4c5dd9f into sveltejs:master Oct 28, 2019
10 checks passed
10 checks passed
Tests (8, ubuntu-latest)
Details
Tests (8, windows-latest)
Details
Tests (8, macOS-latest)
Details
Tests (10, ubuntu-latest)
Details
Tests (10, windows-latest)
Details
Tests (10, macOS-latest)
Details
Tests (12, ubuntu-latest)
Details
Tests (12, windows-latest)
Details
Tests (12, macOS-latest)
Details
Lint
Details
@Rich-Harris

This comment has been minimized.

Copy link
Member

Rich-Harris commented Oct 28, 2019

ah, whoops. good fix, thanks

@tanhauhau tanhauhau deleted the tanhauhau:tanhauhau/text-content-instead-of-inner-html branch Oct 28, 2019
@snoopysecurity

This comment has been minimized.

Copy link

snoopysecurity commented Nov 4, 2019

Hey @Rich-Harris, any plans a pushing a new release to npm with this fix? Thanks 😊

@Conduitry

This comment has been minimized.

Copy link
Member

Conduitry commented Nov 4, 2019

The last cut version (3.13.0-alpha.2) was before #3808, which introduced the issue.

@snoopysecurity

This comment has been minimized.

Copy link

snoopysecurity commented Nov 5, 2019

Ahhh makes sense, thanks @Conduitry

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.