threatpointer commented on code in PR #276:
URL: https://github.com/apache/cordova-js/pull/276#discussion_r1705942429
##########
src/cordova.js:
##########
@@ -43,6 +43,80 @@ var m_window_removeEventListener =
window.removeEventListener;
var documentEventHandlers = {};
var windowEventHandlers = {};
+/**
+ * Mitigation for Event Listener Hijacking
+ */
+(function() {
+ var originalDocumentAddEventListener = document.addEventListener;
+ var originalWindowAddEventListener = window.addEventListener;
+ var documentEventHandlers = {};
+ var windowEventHandlers = {};
+
+ document.addEventListener = function (evt, handler, capture) {
+ var e = evt.toLowerCase();
+ if (typeof documentEventHandlers[e] !== 'undefined') {
+ if (typeof documentEventHandlers[e].subscribe === 'function') {
+ documentEventHandlers[e].subscribe(handler);
+ } else {
+ console.warn('No subscribe function defined for event:', e);
+ }
+ } else {
+ originalDocumentAddEventListener.call(document, evt, handler,
capture);
+ }
+ };
+
+ window.addEventListener = function (evt, handler, capture) {
+ var e = evt.toLowerCase();
+ if (typeof windowEventHandlers[e] !== 'undefined') {
+ if (typeof windowEventHandlers[e].subscribe === 'function') {
+ windowEventHandlers[e].subscribe(handler);
+ } else {
+ console.warn('No subscribe function defined for event:', e);
+ }
+ } else {
+ originalWindowAddEventListener.call(window, evt, handler, capture);
+ }
+ };
+
+ // Securely define your event handlers
+ documentEventHandlers['click'] = {
+ subscribe: function(handler) {
+ var secureHandler = function(event) {
+ // Perform necessary checks or actions before invoking the
handler
+ if (event && event.target) {
+ var allowedElements = ['button', 'a', 'div'];
+ if
(allowedElements.includes(event.target.tagName.toLowerCase())) {
Review Comment:
The aim is not to be excessively restrictive _(the tags are more of starting
pont)_, but rather to define a set of permissible elements. The stance is
framework offers secure-by-default configurations that can be adjusted
according to the user's requirements as needed.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
