Issue 124069: Bug 1108: caja now allows iframe src= in static html

Issue 124069: Bug 1108: caja now allows iframe src= in static html (Closed)

Can't Edit
Can't Publish+Mail
Start Review

Created:
14 years, 7 months ago by MikeSamuel

Modified:
14 years, 7 months ago

Reviewers:
felix8a, Jasvir, metaweta

CC:
caja-discuss-undisclosed_googlegroups.com

Base URL:
http://google-caja.googlecode.com/svn/trunk/

Visibility:
Public.

Description

http://code.google.com/p/google-caja/issues/detail?id=1108 r3652 which added support for iframe shims also allows iframes in static html. so if you cajole <iframe src="http://google.com"> caja will happily emit that. the urlpolicy gets to rewrite the url (as mimeType=="text/html"), but this is new behavior. a urlpolicy might not expect to handle an iframe src url, and might do the wrong thing with it. Fixed whitelists to make sure that only the HTML attributes required by IFRAME shims. Added tests to TemplateSanitizer to check this going forward. As Felix points out, we should revisit these taming decisions once we have implemented the new URI policy which distinguishes between immediately loaded content like <iframe src="//foo.com/"> and content loaded on user interaction like <a href="//foo.com/"> Submitted @3810 Advisory @ http://code.google.com/p/google-caja/wiki/SecurityAdvisory19Oct2009

Patch Set 1 #

Patch Set 2 : Bug 1108: caja now allows iframe src= in static html #

Total comments: 2

Patch Set 3 : Bug 1108: caja now allows iframe src= in static html #

Patch Set 4 : Bug 1108: caja now allows iframe src= in static html #

Patch Set 5 : Bug 1108: caja now allows iframe src= in static html #

Created: 14 years, 7 months ago

Download [raw] [tar.bz2]

	Unified diffs	Side-by-side diffs	Delta from patch set	Stats (+146 lines, -24 lines)			Patch
M	src/com/google/caja/lang/html/HTML.java	View	1 2 3 4	1 chunk	+1 line, -1 line	0 comments	Download
M	src/com/google/caja/lang/html/HtmlSchema.java	View	1 2 3 4	1 chunk	+4 lines, -2 lines	0 comments	Download
M	src/com/google/caja/lang/html/html4-attributes-whitelist.json	View	1 2 3 4	10 chunks	+20 lines, -20 lines	0 comments	Download
M	tests/com/google/caja/plugin/templates/TemplateSanitizerTest.java	View	1 2 3 4	1 chunk	+121 lines, -1 line	0 comments	Download

Messages

Total messages: 4

Expand All Messages | Collapse All Messages

felix8a

lgtm http://codereview.appspot.com/124069/diff/7/1007 File src/com/google/caja/lang/html/html4-attributes-whitelist.json (right): http://codereview.appspot.com/124069/diff/7/1007#newcode264 Line 264: { "key": "IFRAME::ID", I'm a little confused ...

14 years, 7 months ago (2009-09-29 20:51:28 UTC) #2

MikeSamuel

http://codereview.appspot.com/124069/diff/7/1007 File src/com/google/caja/lang/html/html4-attributes-whitelist.json (right): http://codereview.appspot.com/124069/diff/7/1007#newcode264 Line 264: { "key": "IFRAME::ID", On 2009/09/29 20:51:28, felix8a wrote: ...

14 years, 7 months ago (2009-09-29 21:18:00 UTC) #3

felix8a

14 years, 7 months ago (2009-09-29 21:22:08 UTC) #4

On 2009/09/29 21:18:00, MikeSamuel wrote:
> http://codereview.appspot.com/124069/diff/7/1007
> File src/com/google/caja/lang/html/html4-attributes-whitelist.json (right):
> 
> http://codereview.appspot.com/124069/diff/7/1007#newcode264
> Line 264: { "key": "IFRAME::ID",
> On 2009/09/29 20:51:28, felix8a wrote:
> > I'm a little confused by the types declaration without
> > any attributes.  is that just for the comment?
> 
> Yep.  I'm creating this element so that I can deny IFRAME::ID while allowing
> *::ID.

oh, right.  ok.

Expand All Messages | Collapse All Messages