html-tagged-template icon indicating copy to clipboard operation
html-tagged-template copied to clipboard

Published 20 hours ago verified publisher icon straker

do not reject data: protocol

Open kapouer opened this issue 8 years ago • 2 comments

Though i don't have a clear idea if data: protocol can be a xss attack vector. Maybe at least uri starting with data:image/ should be allowed - they should be pretty harmless.

kapouer avatar Apr 17 '17 15:04 kapouer

The data protocol can allow attack vectors through data:text/html, so we shouldn't allow that. It's also possible in Firefox (even current) to use the embed element and data:image/svg+xml as an attack vector.

These are the only examples I could find, but I'm not a security expert. From what I've read, to guarantee XSS prevention you should only accept http and https.

straker avatar Apr 18 '17 04:04 straker

It feels odd, though, to discard mecanisms upstream. User of template strings should not merge unsafe data in the first place...

kapouer avatar Apr 18 '17 07:04 kapouer