Descriptionhttp://code.google.com/p/google-caja/issues/detail?id=1108
r3652 which added support for iframe shims
also allows iframes in static html.
so if you cajole
<iframe src="http://google.com">
caja will happily emit that.
the urlpolicy gets to rewrite the url (as mimeType=="text/html"),
but this is new behavior. a urlpolicy might not expect to
handle an iframe src url, and might do the wrong thing with it.
Fixed whitelists to make sure that only the HTML attributes required
by IFRAME shims.
Added tests to TemplateSanitizer to check this going forward.
As Felix points out, we should revisit these taming decisions once we
have implemented the new URI policy which distinguishes between
immediately loaded content like
<iframe src="//foo.com/">
and content loaded on user interaction like
<a href="//foo.com/">
Submitted @3810
Advisory @ http://code.google.com/p/google-caja/wiki/SecurityAdvisory19Oct2009
Patch Set 1 #Patch Set 2 : Bug 1108: caja now allows iframe src= in static html #
Total comments: 2
Patch Set 3 : Bug 1108: caja now allows iframe src= in static html #Patch Set 4 : Bug 1108: caja now allows iframe src= in static html #Patch Set 5 : Bug 1108: caja now allows iframe src= in static html #
MessagesTotal messages: 4
|