breautek commented on code in PR #276:
URL: https://github.com/apache/cordova-js/pull/276#discussion_r1705951174
##########
src/cordova.js:
##########
@@ -43,6 +43,80 @@ var m_window_removeEventListener =
window.removeEventListener;
var documentEventHandlers = {};
var windowEventHandlers = {};
+/**
+ * Mitigation for Event Listener Hijacking
+ */
+(function () {
+ var originalDocumentAddEventListener = document.addEventListener;
+ var originalWindowAddEventListener = window.addEventListener;
+ var documentEventHandlers = {};
+ var windowEventHandlers = {};
+
+ document.addEventListener = function (evt, handler, capture) {
+ var e = evt.toLowerCase();
+ if (typeof documentEventHandlers[e] !== 'undefined') {
+ if (typeof documentEventHandlers[e].subscribe === 'function') {
+ documentEventHandlers[e].subscribe(handler);
+ } else {
+ console.warn('No subscribe function defined for event:', e);
+ }
+ } else {
+ originalDocumentAddEventListener.call(document, evt, handler,
capture);
+ }
+ };
+
+ window.addEventListener = function (evt, handler, capture) {
+ var e = evt.toLowerCase();
+ if (typeof windowEventHandlers[e] !== 'undefined') {
+ if (typeof windowEventHandlers[e].subscribe === 'function') {
+ windowEventHandlers[e].subscribe(handler);
+ } else {
+ console.warn('No subscribe function defined for event:', e);
+ }
+ } else {
+ originalWindowAddEventListener.call(window, evt, handler, capture);
+ }
+ };
+
+ // Securely define your event handlers
+ documentEventHandlers.click = {
+ subscribe: function (handler) {
+ var secureHandler = function (event) {
+ // Perform necessary checks or actions before invoking the
handler
+ if (event && event.target) {
+ var allowedElements = ['button', 'a', 'div'];
+ if
(allowedElements.indexOf(event.target.tagName.toLowerCase()) > -1) {
+ handler(event);
+ } else {
+ console.warn('Click event handler ignored for
disallowed element:', event.target.tagName);
+ }
Review Comment:
I don't believe we can do this restriction.
To summarize
https://github.com/apache/cordova-js/pull/276#discussion_r1705948690
Standard browser behaviour allows click on all tags. Cordova cannot
reasonably block or whitelist specific tags. There's some frameworks that is
widely use that even allows users to use custom tags.
So I think the `allowedElements` check needs to be removed.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
