On Fri, Jan 9, 2015 at 12:29 PM, Boris Zbarsky <bzbar...@mit.edu> wrote:
> Ok, what about this testcase:
>   var parent = document.createElement("x-my-element");
>   var input = document.createElement("input");
>   parent.appendChild(input);
>   input.value = "file:///etc/passwd";
>   parent.cloneNode(true);
> and then in the cloning callback for x-my-element, assuming "newNode" is the
> clone:
>   newNode.firstChild.type = "file";
> That seems to me like it would do the type set before the cloning callback
> for the input runs, right?

Both parent and input need to be cloned in this case. While parent's
callback runs it changes the type of input, at which point input's
callback runs. So, yes.

It's a bit unclear to me why "When an input element's type attribute
changes state" does not sanitize this value in any way though or how
cloning it makes it a security concern.


Reply via email to