Deion In this article, it mentions that 'lit-html' includes

lit-html works by building a DOM tree, so injection of whole elements is not an

<a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/us

[docs] Add info on automatic XSS-prevention / escaped characters about lit.dev HOT 6 OPEN

lit commented on July 27, 2024 11

[docs] Add info on automatic XSS-prevention / escaped characters

from lit.dev.

Comments (6)

mikesamuel commented on July 27, 2024 8

lit-html works by building a DOM tree, so injection of whole script elements is not an issue, but there are others.

The known XSS risks are:

attacker controls value for the unsafeHTML directive; the string <img src=bogus onerror=alert(document.origin)> can inject code even though straightforward <script> injection fails.
attacker controls text in sensitive locations: html`<script>${ x }</script>`
attacker controls values for sensitive attributes like html`<iframe srcdoc=${ x }>` or html`<script src=${ x }></script>`
attacker controls values assigned to sensitive properties like html`<div .innerHTML=${ x }>`
~~attacker controls string that reaches event handlers like html`<button @onclick=${ x }>`~~
attacker controls CSS which in other contexts has leaked information about page content.

The team is aware of those risks and is working on addressing them.

from lit.dev.

lastmjs commented on July 27, 2024 2

Is there any official documentation on the security/threat model of lit-html? I feel this is very important information and would be very useful to include as a section on the official website: https://lit-html.polymer-project.org

from lit.dev.

mikesamuel commented on July 27, 2024 1

@lastmjs https://github.com/Polymer/polymer-resin#readme captures my threat modelling when I wrote resin. I don't speak for the Polymer project though.

from lit.dev.