Comments (6)
lit-html works by building a DOM tree, so injection of whole script elements is not an issue, but there are others.
The known XSS risks are:
- attacker controls value for the unsafeHTML directive; the string
<img src=bogus onerror=alert(document.origin)>
can inject code even though straightforward<script>
injection fails. - attacker controls text in sensitive locations:
html`<script>${ x }</script>`
- attacker controls values for sensitive attributes like
html`<iframe srcdoc=${ x }>`
orhtml`<script src=${ x }></script>`
- attacker controls values assigned to sensitive properties like
html`<div .innerHTML=${ x }>`
attacker controls string that reaches event handlers likehtml`<button @onclick=${ x }>`
- attacker controls CSS which in other contexts has leaked information about page content.
The team is aware of those risks and is working on addressing them.
from lit.dev.
Is there any official documentation on the security/threat model of lit-html? I feel this is very important information and would be very useful to include as a section on the official website: https://lit-html.polymer-project.org
from lit.dev.
@lastmjs https://github.com/Polymer/polymer-resin#readme captures my threat modelling when I wrote resin. I don't speak for the Polymer project though.
from lit.dev.
@mikesamuel Thanks for this info!
from lit.dev.
On diving deeper, it turns out html`<button @onclick=${ x }>`
is not problematic.
Will edit my summary.
from lit.dev.
What's the status of this?
from lit.dev.
Related Issues (20)
- Page doesn't work on Firefox HOT 2
- [infra] Update Lit.dev to Lit 3
- Property 'blockId' has no initializer and is not definitely assigned in the constructor. HOT 5
- [docs] Update publishing section babel recommendation
- Inconsistency between `All` package on CDN and NPM modules HOT 6
- [docs] Mention importmaps in tooling
- [docs/api] Directives documentations start with the ancestor class' description. HOT 1
- Page at /docs/templates/directives/ does not seem responsive to thinner displays
- [docs/task] Consider adding note about typing args array with multiple types HOT 1
- [docs/task] Document other task options / include whole API
- createProperty() is deprecated warning HOT 2
- Install into dependencies or devDepenendies? HOT 2
- The "Build with Rollup" documentation is broken HOT 1
- [dark mode] Playground share pop up "sign out" text is hard to see
- Dark Mode trigger icons are reversed if already in prefers-color-scheme(dark) HOT 4
- [lit-labs/virtualizer] Add documentation for the keyFunction property
- Missing docs for Form Associaed + ElementInternals
- Write a README for Algolia
- JavaScript Context Docs / Examples HOT 1
- [Dark Mode]: a suggestion
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from lit.dev.