Caja Security Advisory 2016-01-28
44 views
Skip to first unread message
Kevin Reid
Jan 28, 2016, 2:33:54 PM1/28/16
to Google Caja Discuss
## Background
In certain cases, HTML elements can be “named” in ways which are
reflected as properties of DOM nodes, possibly overriding the normal
values of particular properties. Caja's DOM sandbox was not sufficiently
aware of this, leading to exposing a host DOM node directly to the
guest given HTML of the form
<form><input name="length"></form>
## Impact and Advice
This is a complete breach of the Caja DOM sandbox. Applications of Caja
which provide a DOM to the guest should immediately upgrade to Caja
v6004 https://github.com/google/caja/releases/tag/v6004 or later.
Applications of Caja which do not provide a DOM to the guest are not
affected.
## More Information
Discussion of the immediate fix may be found at:
Discussion of a more robust fix which interfered with <form> submit
functionality and was therefore not applied may be found at:
Reply all
Reply to author
Forward
0 new messages