Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.
Sign upUnmatched </p> or </br> inside foreign context needs a special parser rule #5113
Labels
Comments
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
|
(Additional impl data:) parse5 is currently consistent with Blink/Webkit |
This comment has been minimized.
This comment has been minimized.
|
I should also have referenced the corresponding Chromium bug. |
chromium-wpt-export-bot
added a commit
to web-platform-tests/wpt
that referenced
this issue
Nov 27, 2019
Prior to this CL, the following code: <svg></p></svg> parsed to this innerHTML: <svg><p></p></svg> This is in contrast to this code: <svg><p></svg> which parses to <svg></svg><p></p> The fact that the </p> is left inside the <svg> allowed sanitizer bypasses as detailed in [1]. Please also see [2] for the spec discussion. With this CL, </p> and </br> within a foreign context now cause the closing of the foreign context. [1] https://research.securitum.com/dompurify-bypass-using-mxss/ [2] whatwg/html#5113 Bug: 1005713 Change-Id: Ic07ee50de4eb1ef19b73a075bd83785c99f4f891
This comment has been minimized.
This comment has been minimized.
|
html5lib leaves the <p> or <br> inside <svg>:
|
aarongable
pushed a commit
to chromium/chromium
that referenced
this issue
Nov 30, 2019
Prior to this CL, the following code: <svg></p></svg> parsed to this innerHTML: <svg><p></p></svg> This is in contrast to this code: <svg><p></svg> which parses to <svg></svg><p></p> The fact that the </p> is left inside the <svg> allowed sanitizer bypasses as detailed in [1]. Please also see [2] for the spec discussion. With this CL, </p> and </br> within a foreign context now cause the closing of the foreign context. [1] https://research.securitum.com/dompurify-bypass-using-mxss/ [2] whatwg/html#5113 Bug: 1005713 Change-Id: Ic07ee50de4eb1ef19b73a075bd83785c99f4f891 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1940722 Reviewed-by: Kouhei Ueno <kouhei@chromium.org> Commit-Queue: Mason Freed <masonfreed@chromium.org> Cr-Commit-Position: refs/heads/master@{#720315}
chromium-wpt-export-bot
added a commit
to web-platform-tests/wpt
that referenced
this issue
Nov 30, 2019
Prior to this CL, the following code: <svg></p></svg> parsed to this innerHTML: <svg><p></p></svg> This is in contrast to this code: <svg><p></svg> which parses to <svg></svg><p></p> The fact that the </p> is left inside the <svg> allowed sanitizer bypasses as detailed in [1]. Please also see [2] for the spec discussion. With this CL, </p> and </br> within a foreign context now cause the closing of the foreign context. [1] https://research.securitum.com/dompurify-bypass-using-mxss/ [2] whatwg/html#5113 Bug: 1005713 Change-Id: Ic07ee50de4eb1ef19b73a075bd83785c99f4f891 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1940722 Reviewed-by: Kouhei Ueno <kouhei@chromium.org> Commit-Queue: Mason Freed <masonfreed@chromium.org> Cr-Commit-Position: refs/heads/master@{#720315}
chromium-wpt-export-bot
added a commit
to web-platform-tests/wpt
that referenced
this issue
Nov 30, 2019
Prior to this CL, the following code: <svg></p></svg> parsed to this innerHTML: <svg><p></p></svg> This is in contrast to this code: <svg><p></svg> which parses to <svg></svg><p></p> The fact that the </p> is left inside the <svg> allowed sanitizer bypasses as detailed in [1]. Please also see [2] for the spec discussion. With this CL, </p> and </br> within a foreign context now cause the closing of the foreign context. [1] https://research.securitum.com/dompurify-bypass-using-mxss/ [2] whatwg/html#5113 Bug: 1005713 Change-Id: Ic07ee50de4eb1ef19b73a075bd83785c99f4f891 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1940722 Reviewed-by: Kouhei Ueno <kouhei@chromium.org> Commit-Queue: Mason Freed <masonfreed@chromium.org> Cr-Commit-Position: refs/heads/master@{#720315}
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
|
No problem - I just marked it all public. I had essentially been treating it as public given the blog post. |
moz-v2v-gh
pushed a commit
to mozilla/gecko-dev
that referenced
this issue
Dec 5, 2019
… and <br> within foreign context, a=testonly Automatic update from web-platform-tests Fix parser mXSS sanitizer bypass for <p> and <br> within foreign context Prior to this CL, the following code: <svg></p></svg> parsed to this innerHTML: <svg><p></p></svg> This is in contrast to this code: <svg><p></svg> which parses to <svg></svg><p></p> The fact that the </p> is left inside the <svg> allowed sanitizer bypasses as detailed in [1]. Please also see [2] for the spec discussion. With this CL, </p> and </br> within a foreign context now cause the closing of the foreign context. [1] https://research.securitum.com/dompurify-bypass-using-mxss/ [2] whatwg/html#5113 Bug: 1005713 Change-Id: Ic07ee50de4eb1ef19b73a075bd83785c99f4f891 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1940722 Reviewed-by: Kouhei Ueno <kouhei@chromium.org> Commit-Queue: Mason Freed <masonfreed@chromium.org> Cr-Commit-Position: refs/heads/master@{#720315} -- wpt-commits: 561b765308e6d188618f3ba73091bb598d8357ce wpt-pr: 20489
xeonchen
pushed a commit
to xeonchen/gecko
that referenced
this issue
Dec 5, 2019
… and <br> within foreign context, a=testonly Automatic update from web-platform-tests Fix parser mXSS sanitizer bypass for <p> and <br> within foreign context Prior to this CL, the following code: <svg></p></svg> parsed to this innerHTML: <svg><p></p></svg> This is in contrast to this code: <svg><p></svg> which parses to <svg></svg><p></p> The fact that the </p> is left inside the <svg> allowed sanitizer bypasses as detailed in [1]. Please also see [2] for the spec discussion. With this CL, </p> and </br> within a foreign context now cause the closing of the foreign context. [1] https://research.securitum.com/dompurify-bypass-using-mxss/ [2] whatwg/html#5113 Bug: 1005713 Change-Id: Ic07ee50de4eb1ef19b73a075bd83785c99f4f891 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1940722 Reviewed-by: Kouhei Ueno <kouhei@chromium.org> Commit-Queue: Mason Freed <masonfreed@chromium.org> Cr-Commit-Position: refs/heads/master@{#720315} -- wpt-commits: 561b765308e6d188618f3ba73091bb598d8357ce wpt-pr: 20489
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
As the current parser spec is written, <svg></p></svg> and <svg></br></svg> both result in <p> and <br> DOM nodes as children of the <svg>. As mentioned in this Chromium bug and this blog post, this can be exploited as a sanitizer bypass. Here is an example DOM Viewer link showing the behavior.
By my reading of the spec:
Current implementations:
I believe the spec should follow current Gecko behavior. I think the easiest way to change the spec would be to add a special case within the foreign context section for end tags whose tag name is "p" or "br", which closes the foreign context and then processes the </p> or </br> as normal for a non-foreign context.