On Mon, Apr 8, 2013 at 8:14 AM, Frederik Braun <[email protected]> wrote:
> Hi all, > > this is -in fact- no news at all, but I just felt the urge to re-iterate > on the issue of innerHTML [1]: > Our team (security assurance) has recently performed security reviews of > all Gaia apps and went through a lot of JavaScript files that used > innerHTML to render text. > As of writing this text, gaia-master from github still contains hundreds > of innerHTML assignments [2]. > > While this is a huge performance loss[3] for all users, it also means > extra work for us: > We have to check all the innerHTML assignments to see if the right-hand > value might be influenced by user supplied data. If this is the case, an > attacker might use this to XSS or DoS a user's phone. > > To help remedy this state, I want to advocate the use of my tiny > html2dom[4] code snippet: The demo will show you how to convert a HTML > snippet into JavaScript code that uses DOM methods like createElement > and setAttribute. You can then use this generated code to replace your > current innerHTML assignments manually [5]. > > > tl;dr innerHTML is still slow and makes security reviews harder for us. > Please use DOM methods like document.createElement(). My tool might help > you [4]. Track your efforts as blockers against this bug [5]. > Frederik, Thanks for the update re: innerHTML. I've reviewed the html2dom tool and there is a lot of work needed before I would consider using it. 1. Don't expose the entire implementation on the global object (Almost every identifier is declared globally) 2. Do you plan on adding unit tests that prove this tool works correctly? Observation isn't enough, especially considering #1 Rick _______________________________________________ dev-b2g mailing list [email protected] https://lists.mozilla.org/listinfo/dev-b2g
