Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

do not reject data: protocol #26

Open
kapouer opened this issue Apr 17, 2017 · 2 comments
Open

do not reject data: protocol #26

kapouer opened this issue Apr 17, 2017 · 2 comments

Comments

@kapouer
Copy link

kapouer commented Apr 17, 2017
edited
Loading

Though i don't have a clear idea if data: protocol can be a xss attack vector.
Maybe at least uri starting with data:image/ should be allowed - they should be pretty harmless.
kapouer added a commit to kapouer/html-tagged-template that referenced this issue Apr 17, 2017
@kapouer
Do not reject data protocol as xss-unsafe
96b909e 
Fix straker#26
kapouer added a commit to kapouer/html-tagged-template that referenced this issue Apr 17, 2017
@kapouer
Allow replacement value to be a DOM Node
109a2e9 
Fix straker#26
@kapouer kapouer mentioned this issue Apr 17, 2017
Closed
@straker
Copy link
Owner

straker commented Apr 18, 2017
edited
Loading

The data protocol can allow attack vectors through data:text/html, so we shouldn't allow that. It's also possible in Firefox (even current) to use the embed element and data:image/svg+xml as an attack vector.

These are the only examples I could find, but I'm not a security expert. From what I've read, to guarantee XSS prevention you should only accept http and https.

@kapouer
Copy link
Author

kapouer commented Apr 18, 2017

It feels odd, though, to discard mecanisms upstream. User of template strings should not merge unsafe data in the first place...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kapouer @straker