fix: escape fallback raw-content text nodes#32
Conversation
alan-agius4
left a comment
There was a problem hiding this comment.
The tests indicate this fix introduces a regression with comments. For instance, <noscript><!-- something --></noscript> becomes escaped <noscript><!-- something --></noscript>. Although not dangerous, it changes the semantics by rendering a comment as active text which is incorrect.
c1781e6 to
9243756
Compare
Escape text nodes in iframe, noembed, noscript, and noframes during HTML serialization instead of emitting attacker-controlled bytes as raw markup. These fallback raw-content elements are inert when parsed directly by a browser, but SSR post-processing can reparse serialized HTML without preserving raw-content parser state. Escaping their text nodes prevents ancestor-closing payloads from being emitted as executable markup while preserving raw serialization for script, style, xmp, and plaintext.
9243756 to
f56a381
Compare
@alan-agius4 Updated, regression tests were also added for the case of comments |
|
@alan-agius4 It's already updated. I'm not sure if there are any additional comments I could address on my side. |
Escape text nodes in
iframe,noembed,noscript, andnoframesduring HTML serialization instead of emitting attacker-controlled bytes as raw markup.These fallback raw-content elements are inert when parsed directly by a browser, but SSR post-processing can reparse serialized HTML without preserving raw-content parser state. Escaping their text nodes prevents ancestor-closing payloads from being emitted as executable markup while preserving raw serialization for script, style, xmp, and plaintext.
More context
https://issuetracker.google.com/u/1/issues/525899990( marked as duplicated , due it was marked as a duplicate of my first report )@alan-agius4 Could you please check it?
EDIT : Traceability is now available at https://issuetracker.google.com/u/1/issues/525782033