New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 919121 link

Starred by 1 user
Status: Fixed
Owner:
jakubvrana@google.com
Closed: Jan 11
Cc:
mkwst@chromium.org
vogelheim@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug



Sign in to add a comment

Any Trusted Type is assignable to restricted attributes via setAttribute

Project Member Reported by jakubvrana@google.com, Jan 4 
Chrome Version: 71.0.3578.98 (Official Build) (64-bit)
OS: gLinux

What steps will reproduce the problem?
(1) Enforce Trusted Types.
(2) var tt = TrustedTypes.createPolicy('tt', {createHTML: (s) => s});
(3) img.setAttribute('src', tt.createHTML('a.jpg'));

What is the expected result?
TrustedHTML shouldn't be assignable to img.src.

What happens instead?
Displays the image.

Comment 1 by jakubvrana@google.com, Jan 4 

The solution could be to return a map from restricted attribute name to required Trusted Type instead of set of restricted attribute names in GetCheckedAttributeNames.

Comment 2 by jakubvrana@google.com, Jan 8

Owner: jakubvrana@google.com
Status: Started (was: Available)
Project Member

Comment 3 by bugdroid1@chromium.org, Jan 10 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/5a2deccebf26f63280ed91b2ed2898649ebdc5f4

commit 5a2deccebf26f63280ed91b2ed2898649ebdc5f4
Author: Jakub Vrana <jakubvrana@google.com>
Date: Thu Jan 10 15:38:52 2019

Allow only correct Trusted Type in setAttribute

This now matches the behavior of assigning properties. The correct
Trusted Type is allowed, incorrect Trusted Type is converted to string
and then treated as string.

Bug:  919121 , 739170
Change-Id: I400915f3c3d960f99f13b4e6894a61a9334e78b1
Reviewed-on: https://chromium-review.googlesource.com/c/1400668
Reviewed-by: Mike West <mkwst@chromium.org>
Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org>
Commit-Queue: Jakub Vrana <jakubvrana@google.com>
Cr-Commit-Position: refs/heads/master@{#621589}
[modify] https://crrev.com/5a2deccebf26f63280ed91b2ed2898649ebdc5f4/third_party/blink/renderer/core/dom/element.cc
[modify] https://crrev.com/5a2deccebf26f63280ed91b2ed2898649ebdc5f4/third_party/blink/renderer/core/dom/element.h
[modify] https://crrev.com/5a2deccebf26f63280ed91b2ed2898649ebdc5f4/third_party/blink/renderer/core/html/forms/html_input_element.cc
[modify] https://crrev.com/5a2deccebf26f63280ed91b2ed2898649ebdc5f4/third_party/blink/renderer/core/html/forms/html_input_element.h
[modify] https://crrev.com/5a2deccebf26f63280ed91b2ed2898649ebdc5f4/third_party/blink/renderer/core/html/html_anchor_element.cc
[modify] https://crrev.com/5a2deccebf26f63280ed91b2ed2898649ebdc5f4/third_party/blink/renderer/core/html/html_anchor_element.h
[modify] https://crrev.com/5a2deccebf26f63280ed91b2ed2898649ebdc5f4/third_party/blink/renderer/core/html/html_base_element.cc
[modify] https://crrev.com/5a2deccebf26f63280ed91b2ed2898649ebdc5f4/third_party/blink/renderer/core/html/html_base_element.h
[modify] https://crrev.com/5a2deccebf26f63280ed91b2ed2898649ebdc5f4/third_party/blink/renderer/core/html/html_embed_element.cc
[modify] https://crrev.com/5a2deccebf26f63280ed91b2ed2898649ebdc5f4/third_party/blink/renderer/core/html/html_embed_element.h
[modify] https://crrev.com/5a2deccebf26f63280ed91b2ed2898649ebdc5f4/third_party/blink/renderer/core/html/html_frame_element.cc
[modify] https://crrev.com/5a2deccebf26f63280ed91b2ed2898649ebdc5f4/third_party/blink/renderer/core/html/html_frame_element.h
[modify] https://crrev.com/5a2deccebf26f63280ed91b2ed2898649ebdc5f4/third_party/blink/renderer/core/html/html_iframe_element.cc
[modify] https://crrev.com/5a2deccebf26f63280ed91b2ed2898649ebdc5f4/third_party/blink/renderer/core/html/html_iframe_element.h
[modify] https://crrev.com/5a2deccebf26f63280ed91b2ed2898649ebdc5f4/third_party/blink/renderer/core/html/html_image_element.cc
[modify] https://crrev.com/5a2deccebf26f63280ed91b2ed2898649ebdc5f4/third_party/blink/renderer/core/html/html_image_element.h
[modify] https://crrev.com/5a2deccebf26f63280ed91b2ed2898649ebdc5f4/third_party/blink/renderer/core/html/html_link_element.cc
[modify] https://crrev.com/5a2deccebf26f63280ed91b2ed2898649ebdc5f4/third_party/blink/renderer/core/html/html_link_element.h
[modify] https://crrev.com/5a2deccebf26f63280ed91b2ed2898649ebdc5f4/third_party/blink/renderer/core/html/html_object_element.cc
[modify] https://crrev.com/5a2deccebf26f63280ed91b2ed2898649ebdc5f4/third_party/blink/renderer/core/html/html_object_element.h
[modify] https://crrev.com/5a2deccebf26f63280ed91b2ed2898649ebdc5f4/third_party/blink/renderer/core/html/html_script_element.cc
[modify] https://crrev.com/5a2deccebf26f63280ed91b2ed2898649ebdc5f4/third_party/blink/renderer/core/html/html_script_element.h
[modify] https://crrev.com/5a2deccebf26f63280ed91b2ed2898649ebdc5f4/third_party/blink/renderer/core/html/html_source_element.cc
[modify] https://crrev.com/5a2deccebf26f63280ed91b2ed2898649ebdc5f4/third_party/blink/renderer/core/html/html_source_element.h
[modify] https://crrev.com/5a2deccebf26f63280ed91b2ed2898649ebdc5f4/third_party/blink/renderer/core/html/media/html_media_element.cc
[modify] https://crrev.com/5a2deccebf26f63280ed91b2ed2898649ebdc5f4/third_party/blink/renderer/core/html/media/html_media_element.h
[modify] https://crrev.com/5a2deccebf26f63280ed91b2ed2898649ebdc5f4/third_party/blink/renderer/core/html/track/html_track_element.cc
[modify] https://crrev.com/5a2deccebf26f63280ed91b2ed2898649ebdc5f4/third_party/blink/renderer/core/html/track/html_track_element.h
[modify] https://crrev.com/5a2deccebf26f63280ed91b2ed2898649ebdc5f4/third_party/blink/renderer/core/trustedtypes/trusted_types_util.cc
[modify] https://crrev.com/5a2deccebf26f63280ed91b2ed2898649ebdc5f4/third_party/blink/renderer/core/trustedtypes/trusted_types_util.h
[modify] https://crrev.com/5a2deccebf26f63280ed91b2ed2898649ebdc5f4/third_party/blink/web_tests/external/wpt/trusted-types/block-string-assignment-to-Element-setAttribute.tentative.html

Comment 4 by jakubvrana@google.com, Jan 11

Status: Fixed (was: Started)

Sign in to add a comment