Trusted Types allow .setAttribute('onclick', 'xss') |
|||
Issue description
Chrome Version: 71.0.3578.98 (Official Build) (64-bit)
OS: gLinux
What steps will reproduce the problem?
(1) Enforce Trusted Types.
(2) div.setAttribute('onclick', 'alert(1)').
What is the expected result?
Error: This document requires a Trusted Type assignment.
What happens instead?
Sets the handler.
img.setAttribute('src', 'a.jpg') throws the error as expected.
,
Jan 10
,
Jan 10
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/b102879f8f3eae0543e0429ef26d248c3c4ea1d8 commit b102879f8f3eae0543e0429ef26d248c3c4ea1d8 Author: Jakub Vrana <jakubvrana@google.com> Date: Thu Jan 10 19:14:36 2019 Require TrustedScript in el.setAttribute('on*') Bug: 919107 , 739170 Change-Id: Ie357fa1d13175e313605415b00fd3529247d84d0 Reviewed-on: https://chromium-review.googlesource.com/c/1400821 Commit-Queue: Jakub Vrana <jakubvrana@google.com> Reviewed-by: Mike West <mkwst@chromium.org> Cr-Commit-Position: refs/heads/master@{#621686} [modify] https://crrev.com/b102879f8f3eae0543e0429ef26d248c3c4ea1d8/third_party/blink/renderer/core/dom/element.cc [modify] https://crrev.com/b102879f8f3eae0543e0429ef26d248c3c4ea1d8/third_party/blink/web_tests/external/wpt/trusted-types/block-string-assignment-to-Element-setAttribute.tentative.html [modify] https://crrev.com/b102879f8f3eae0543e0429ef26d248c3c4ea1d8/third_party/blink/web_tests/external/wpt/trusted-types/support/helper.sub.js
,
Jan 11
|
|||
►
Sign in to add a comment |
|||
Comment 1 by jakubvrana@google.com
, Jan 8