XML Security

[Neil Fraser]

During the Blockly User Summit the topic of XML security came up a couple of times and several participants wanted to discuss this further.

A little-known feature of Blockly's XML is that it is intended to be safe from malicious code injection.  There should be no way to modify XML to inject arbitrary JavaScript (or Python, or whatever) code.  Thus malicious XML can be loaded into (possibly headless) Blockly, code generated, and the resulting code is no different from what could be created using Blockly itself.

You can't modify XML to connect two incompatible blocks together, you can't modify XML to choose non-existent dropdown options, you can't modify XML to create function calls that don't have definitions, and you certainly can't modify the XML to access your browser's cookies.

To date, there has been one injection vulnerability found (and fixed same day):
https://github.com/google/blockly/issues/2637

Also, I just posted some sub-optimal behaviour:

https://github.com/google/blockly/issues/4803

It would be good to increase awareness of this feature.