Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Audit and fix innerHTML scripting disabled parsing behavior for template #10879

Open
hsivonen opened this issue Dec 20, 2024 · 1 comment
Open
Labels
interop Implementations are not interoperable with each other topic: parser

Comments

@hsivonen
Copy link
Member

What is the issue with the HTML Standard?

Load https://hsivonen.com/test/moz/template-innerHTML.html in Firefox, Safari, and Chrome and examine the results. (Also view source.)

Observations:

  • All three browsers agree on the div cases.
  • All three browsers serialize text children of noscript in template as if scripting was disabled vs. in div as if scripting was enabled.
  • Firefox parser all cases as if scripting was enabled.
  • Safari and Chrome parse the div cases as well as the template contents that are directly in the HTML loaded from network as if scripting was enabled but parse the other template cases as if scripting was disabled.

It appears that these are unintended side effects of how the appropriate template contents owner document.

It seems that template having these inconsistencies compared to div is bad and a hazard that can cause bugs on sites, and it seems that we should make template behave consistently with div here.

Unfortunately, there is existence proof of a site that depends on innerHTML on template parsing as if scripting was disabled.

@annevk annevk added topic: parser interop Implementations are not interoperable with each other labels Jan 16, 2025
@zcorpan
Copy link
Member

zcorpan commented Jan 21, 2025

It seems that template having these inconsistencies compared to div is bad and a hazard that can cause bugs on sites, and it seems that we should make template behave consistently with div here.

Agreed, this kind of thing has been exploited as mutation-XSS previously. https://www.acunetix.com/blog/web-security-zone/mutation-xss-in-google-search/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
interop Implementations are not interoperable with each other topic: parser
Development

No branches or pull requests

3 participants