You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Not sure if this has been covered before, but my quick search didn't yield any results. The issue is that certain webpages might assign a string (purposely or by mistake) to scriptTag.innerHTML. In this case, createHTML is called, instead of createScript (even though, effectively, a script is created). This might lead to XSS-es since HTML sanitizers won't probably sanitize alert(1) in any way.
Here's an example:
<metahttp-equiv=content-security-policycontent="trusted-types default"><scriptid=magic></script><script>// simulate a good sanitizerconstsanitize=s=>s;consttt=trustedTypes.createPolicy('default',{createHTML(s){returnsanitize(s);},createScript(s){return'';// no eval at all!}});document.querySelector('#magic').innerHTML='alert(1)';</script>
In the case above, alert(1) gets executed even though the policy explicitly forbids creating scripts from a string.
The text was updated successfully, but these errors were encountered:
Not sure if this has been covered before, but my quick search didn't yield any results. The issue is that certain webpages might assign a string (purposely or by mistake) to
scriptTag.innerHTML
. In this case,createHTML
is called, instead ofcreateScript
(even though, effectively, a script is created). This might lead to XSS-es since HTML sanitizers won't probably sanitizealert(1)
in any way.Here's an example:
In the case above,
alert(1)
gets executed even though the policy explicitly forbids creating scripts from a string.The text was updated successfully, but these errors were encountered: