Coming soon-
In order to decrease the vulnerability of Dart applications to cross-site scripting attacks Dart will start sanitizing Element.innerHtml and related use cases by default. The basic API changes are that everywhere a string is parsed into DOM nodes we’re adding default sanitization as well as the ability to customize the sanitization rules.
Existing APIs such as new Element.html() will have optional arguments for specifying the sanitization rules, if not specified then the default sanitization is applied.
Affected APIs:
Element.innerHtml (use Element.setInnerHtml to override default behavior)
new Element.html()
new DocumentFragment.html()
new DocumentFragment.svg()
new SvgElement.svg()
The primary changes under the default sanitization rules, all of which can be customized:
Elements or attributes which are not whitelisted will be automatically stripped.
Only same-origin URIs will be allowed by default.
Inline style attributes will not be allowed- we currently have no scheme for sanitizing the contents of inline styles.
Custom element tags and tag extensions need to be explicitly enabled.
SVG elements will not be allowed in HTML fragments by default.
HTML elements will not be allowed in SVG fragments by default.
Script tags and script event attributes will not be allowed.
In addition, the Element.html() constructor previously tried to guess the correct parsing context for the HTML fragment but no longer will. This was used primarily for building up <table> contents. Use Element.createFragment to parse an HTML fragment within a specific context.
--
For other discussions, see https://groups.google.com/a/dartlang.org/
For HOWTO questions, visit http://stackoverflow.com/tags/dart
To file a bug report or feature request, go to http://www.dartbug.com/new
To unsubscribe from this group and stop receiving emails from it, send an email to misc+uns...@dartlang.org.
--
For other discussions, see https://groups.google.com/a/dartlang.org/
For HOWTO questions, visit http://stackoverflow.com/tags/dart
To file a bug report or feature request, go to http://www.dartbug.com/new
To unsubscribe from this group and stop receiving emails from it, send an email to misc+uns...@dartlang.org.
I don't understand how this idea can work even in principle.Sanitizer has no clue what came from user's input and what was written by programmer.
innerHtml: DO NOT USE THIS METHODI agree with that. The whole story can be reformulated simply as:> You can also ignore innerHtml entirely and build HTML in other ways. For example, this can be easily done via the > normal DOM constructors and setters (which are even easier to use with cascades). Another approach is to use data-binding.
:-)
--
With sanitizing, the following statement is not always true!! The getter and setter are not symmetric!node.innerHtml == (node.innerHtml = node.innerHtml)
> var d = document.createElement('div')undefined> d.innerHTML = "<div id=foobar>""<div id=foobar>"> d.innerHTML"<div id="foobar"></div>"
Its gone :(I've just locked our sdk version to 28990 for our project. We build a lot of widgets (so to speak) with innerhtml and have many attributes that get scrubbed even though we know they are safe. Building a custom sanitizer to disable a 'custom' default behavior seems yuck.
class NullTreeSanitizer implements NodeTreeSanitizer {const NullTreeSanitizer();void sanitizeTree(Node node) {}}
everywhere else:final allHtml = const NullTreeSanitizer();
// elem.unsafeInnerHtml = html; becomes:elem.setInnerHtml(html, allHtml);
Can unsafeInnerHtml be preserve for performance reasons?
Hi Paul, you can still disable sanitizer for your project:in some shared file:class NullTreeSanitizer implements NodeTreeSanitizer {const NullTreeSanitizer();void sanitizeTree(Node node) {}}everywhere else:final allHtml = const NullTreeSanitizer();// elem.unsafeInnerHtml = html; becomes:elem.setInnerHtml(html, allHtml);... not too bad, eh?