web icon indicating copy to clipboard operation
web copied to clipboard

Published 20 hours ago verified publisher icon dart-lang

How to migrate NodeValidatorBuilder

Open Carapacik opened this issue 1 year ago • 2 comments

How to migrate NodeValidatorBuilder from dart:html to web? And how to setInnerHtml with validator on web for HTMLHtmlElement?

Carapacik avatar Jun 02 '24 23:06 Carapacik

Great question! @srujzs @sigmundch – have we hit this in other migrations?

kevmoo avatar Jun 02 '24 23:06 kevmoo

We haven't hit this yet afaik. We could move this functionality into the helpers, but I believe our long-term goal is that we don't own validation/sanitization as it poses a security risk, and would rather have users use a combination of package:safe_html (which is unfortunately internal only), conformance checks (which is also internal only), and safer browser APIs (like trusted types). Thoughts?

For this specific case (setInnerHtml), the safer alternative seems to be Node.textContent: https://developer.mozilla.org/en-US/docs/Web/API/Element/innerHTML#security_considerations. I suspect TrustedHTML is also a good alternative, but that won't work on Firefox.

srujzs avatar Jun 03 '24 16:06 srujzs

I'd like to reopen this question.

I want to migrate package:domino to wasm-ready, and it previously supported arbitrary HTML content via setInnerHtml. Is there any fundamental blocker that prevents us the use of setting innerHtml? I get that there are security considerations, but I think a fundamental library like package:web shouldn't hide it unless it is an unsupported feature.

isoos avatar Sep 21 '24 19:09 isoos

To clarify: the browser API is already exposed today (see the Element.innerHTML setter), it just doesn't have the additional guardrails that dart:html's setInnerHtml method had from using the node validator. As such, uses of Element.innerHTML should be treated as unsafe and a potential source for XSS vulnerabilities.

There are safer alternatives we could build/expose, but we haven't yet. After years of experience with the dart:html APIs, we concluded that the node-validation-builder approach is not ideal. So rather than porting that over as a helper in this library, we would prefer to expose a variant like package:safe_html and/or rely more heavily on trusted types like TrustedHTML that were recently added to browsers.

sigmundch avatar Sep 23 '24 15:09 sigmundch

@sigmundch: oh, cool, thanks for the clarification. It turns out for my case I need to use setHTMLUnsafe...

isoos avatar Sep 23 '24 15:09 isoos