## Background
In certain cases, HTML elements can be “named” in ways which are
reflected as properties of DOM nodes, possibly overriding the normal
values of particular properties. Caja's DOM sandbox was not sufficiently
aware of this, leading to exposing a host DOM node directly to the
guest given HTML of the form
<form><input name="length"></form>
## Impact and Advice
This is a complete breach of the Caja DOM sandbox. Applications of Caja
which provide a DOM to the guest should immediately upgrade to Caja
Applications of Caja which do not provide a DOM to the guest are not
affected.
## More Information
Discussion of the immediate fix may be found at:
Discussion of a more robust fix which interfered with <form> submit
functionality and was therefore not applied may be found at: