[dart-announce] BREAKING CHANGE: appendHtml now sanitizes its input

117 views
Skip to first unread message

'Alan Knight' via Dart Announcements

unread,
May 22, 2015, 12:55:21 PM5/22/15
to anno...@dartlang.org
In dart:html most ways of setting/adding HTML text run it through a validator/sanitizer. The appendHtml method did not do this, which was an oversight opening up a potential security hole. 

What to change:
If you use appendHtml for trusted HTML text, you need to pass a null sanitizer to the API. An indication that you may need to do this is if you see console messages like 
   Removing disallowed element <...>
or
   Removing disallowed attribute ...

To avoid sanitizing, you need to pass a sanitizer that does nothing. For example.

    class NullTreeSanitizer implements NodeTreeSanitizer {
      void sanitizeTree(Node node) {}
    }

    document.body.appendHtml('<div id="foo"></div>", treeSanitizer: new NullTreeSanitizer());

Why?
This is a potential security hole and an inconsistency in the API.

When:
With Dart 1.11 (r45818)

--
For more news and information, visit https://plus.google.com/+dartlang
 
To join the conversation, visit https://groups.google.com/a/dartlang.org/

Jan Mostert

unread,
May 23, 2015, 4:48:31 AM5/23/15
to mi...@dartlang.org, anno...@dartlang.org
What kind of sanitising is it doing ?
Is it just fixing invalid html, ripping out javascript and css?







--
For other discussions, see https://groups.google.com/a/dartlang.org/
 
For HOWTO questions, visit http://stackoverflow.com/tags/dart
 
To file a bug report or feature request, go to http://www.dartbug.com/new

To unsubscribe from this group and stop receiving emails from it, send an email to misc+uns...@dartlang.org.

Lex Berezhny

unread,
May 23, 2015, 4:54:04 AM5/23/15
to misc

It removes DOM nodes and attributes that are not explicitly whitelisted. So if you run the sanitizer without white listing anything then it will delete everything.

Alan Knight

unread,
May 26, 2015, 1:51:57 PM5/26/15
to misc

It does the same sanitizing as was already being done on setting innerHtml/setInnerHtml, the DocumentFragment.html constructor or other methods that create DOM nodes out of strings. It's policy driven, and the default policy is

https://api.dartlang.org/apidocs/channels/stable/dartdoc-viewer/dart:html.NodeValidatorBuilder#id_NodeValidatorBuilder-common

You can also pass a nodeValidator or treeSanitizer to do something different, or to skip sanitizing altogether.

Reply all
Reply to author
Forward
0 new messages