-
Notifications
You must be signed in to change notification settings - Fork 24.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(core): ensure sanitizer works if DOMParser return null body #40107
fix(core): ensure sanitizer works if DOMParser return null body #40107
Conversation
In some browsers, notably a mobile version of webkit on iPad, the result of calling `DOMParser.parseFromString()` returns a document whose `body` property is null until the next tick of the browser. Since this is of no use to us for sanitization, we now fall back to the "inert document" strategy for this case. Fixes angular#39834
705beec
to
36ed960
Compare
@koto can you take a look too? |
From a security point of view, I want to know whether there are situations where the inert document helper should not be used even if the DOMParser helper fails... |
Not to my knowledge. LGTM. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Reviewed-for: fw-security
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
interesting browser bug. LGTM!
Reviewed-for: fw-security
In some browsers, notably a mobile version of webkit on iPad, the result of calling `DOMParser.parseFromString()` returns a document whose `body` property is null until the next tick of the browser. Since this is of no use to us for sanitization, we now fall back to the "inert document" strategy for this case. Fixes #39834 PR Close #40107
@petebacondarwin This fix is amazing. Thank you. It reduced my exception metric by 90%... seriously. |
This issue has been automatically locked due to inactivity. Read more about our automatic conversation locking policy. This action has been performed automatically by a bot. |
In some browsers, notably a mobile version of webkit on iPad, the
result of calling
DOMParser.parseFromString()
returns a documentwhose
body
property is null until the next tick of the browser.Since this is of no use to us for sanitization, we now fall back to the
"inert document" strategy for this case.
Fixes #39834