## Background
In certain cases, HTML elements can be “named” in ways which are
reflected as properties of DOM nodes, possibly overriding the normal
values of particular properties. Caja's DOM sandbox was not sufficiently
aware of this, leading to exposing a host DOM node directly to the
guest given HTML of the form
<form><input name="length"></form>
## Impact and Advice
This is a complete breach of the Caja DOM sandbox. Applications of Caja
which provide a DOM to the guest should immediately upgrade to Caja
v6004 https://github.com/google/caja/releases/tag/v6004 or later.
Applications of Caja which do not provide a DOM to the guest are not
affected.
## More Information
Discussion of the immediate fix may be found at:
* https://codereview.appspot.com/235830043/
Discussion of a more robust fix which interfered with <form> submit
functionality and was therefore not applied may be found at:
* https://codereview.appspot.com/226460043/
--
---
You received this message because you are subscribed to the Google Groups
"Google Caja Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
