worker-dom icon indicating copy to clipboard operation
worker-dom copied to clipboard
verified publisher icon ampproject

Script tags created by innerHTML should not execute when synced to main thread

Open jridgewell opened this issue 7 years ago • 2 comments

After https://github.com/ampproject/worker-dom/issues/283, we should fix the thread mutation sync so that script elements don't execute on the main thread:

div.innerHTML = `
  <script>alert("I won't execute");</script>
`;

When we do this, we should also ensure that regularly created script elements do execute:

const s = document.createElement('script');
s.textContent = `alert("I will execute");`;
div.appendChild(s);

One way to do this would be to add a _disabled flag to the node. When using innerHTML, script._disabled = true. When it's being recreated on the main thread, we can do the following:

const throwaway = document.createElement('div');
throwaway.innerHTML = `<script></script>`;
const script = throwaway.firstChild;

A script created like this will not be able to execute.

jridgewell avatar Feb 27 '19 21:02 jridgewell

This looks like a good addition for the safe mode.

kristoferbaxter avatar Feb 27 '19 22:02 kristoferbaxter

Safe mode/DOMPurify won't allow injection of script tags that execute code anyways, so this is only relevant to the "unsafe" mode.

Tangent: Should we rename "safe" mode to "AMP" mode?

dreamofabear avatar Mar 04 '19 15:03 dreamofabear