Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(core): ensure sanitizer works if DOMParser return null body #40107

Closed
wants to merge 1 commit into from
Closed

fix(core): ensure sanitizer works if DOMParser return null body #40107

wants to merge 1 commit into from

Conversation

petebacondarwin
Copy link
Member

In some browsers, notably a mobile version of webkit on iPad, the
result of calling DOMParser.parseFromString() returns a document
whose body property is null until the next tick of the browser.
Since this is of no use to us for sanitization, we now fall back to the
"inert document" strategy for this case.

Fixes #39834

@petebacondarwin petebacondarwin added action: review The PR is still awaiting reviews from at least one requested reviewer security Issues that generally impact framework or application security area: security Issues related to built-in security features, such as HTML sanitation target: patch This PR is targeted for the next patch release core: sanitization browser: safari labels Dec 14, 2020
@ngbot ngbot bot added this to the Backlog milestone Dec 14, 2020
@google-cla google-cla bot added the cla: yes label Dec 14, 2020
@pullapprove pullapprove bot added the area: core Issues related to the framework runtime label Dec 14, 2020
@petebacondarwin petebacondarwin mentioned this pull request Dec 14, 2020
Closed
@petebacondarwin
fix(core): ensure sanitizer works if DOMParser return null body
36ed960 
In some browsers, notably a mobile version of webkit on iPad, the
result of calling `DOMParser.parseFromString()` returns a document
whose `body` property is null until the next tick of the browser.
Since this is of no use to us for sanitization, we now fall back to the
"inert document" strategy for this case.

Fixes angular#39834
@petebacondarwin
Copy link
Member Author

@koto can you take a look too?

@pullapprove pullapprove bot requested a review from mhevery December 14, 2020 17:31
@petebacondarwin petebacondarwin added the action: presubmit The PR is in need of a google3 presubmit label Dec 14, 2020
@petebacondarwin
Copy link
Member Author

From a security point of view, I want to know whether there are situations where the inert document helper should not be used even if the DOMParser helper fails...

@koto
Copy link
Contributor

koto commented Dec 15, 2020

From a security point of view, I want to know whether there are situations where the inert document helper should not be used even if the DOMParser helper fails...

Not to my knowledge. LGTM.

jessicajaniuk
jessicajaniuk approved these changes Dec 17, 2020
View reviewed changes
Copy link
Contributor

@jessicajaniuk jessicajaniuk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

jelbourn
jelbourn approved these changes Dec 22, 2020
View reviewed changes
Copy link
Member

@jelbourn jelbourn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Reviewed-for: fw-security

IgorMinar
IgorMinar approved these changes Jan 5, 2021
View reviewed changes
Copy link
Contributor

@IgorMinar IgorMinar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

interesting browser bug. LGTM!

Reviewed-for: fw-security

@IgorMinar IgorMinar removed the request for review from mhevery January 5, 2021 22:56
@IgorMinar IgorMinar added action: merge The PR is ready for merge by the caretaker and removed action: review The PR is still awaiting reviews from at least one requested reviewer labels Jan 5, 2021
@AndrewKushnir AndrewKushnir removed the action: presubmit The PR is in need of a google3 presubmit label Jan 6, 2021
josephperrott pushed a commit that referenced this pull request Jan 6, 2021
@petebacondarwin @josephperrott
fix(core): ensure sanitizer works if DOMParser return null body (#40107)
add7cbb 
In some browsers, notably a mobile version of webkit on iPad, the
result of calling `DOMParser.parseFromString()` returns a document
whose `body` property is null until the next tick of the browser.
Since this is of no use to us for sanitization, we now fall back to the
"inert document" strategy for this case.

Fixes #39834

PR Close #40107
@petebacondarwin petebacondarwin deleted the sanitizer-issue-39834 branch January 14, 2021 09:08
@jsgoupil
Copy link

@petebacondarwin This fix is amazing. Thank you. It reduced my exception metric by 90%... seriously.

@angular-automatic-lock-bot
Copy link

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

This action has been performed automatically by a bot.

@angular-automatic-lock-bot angular-automatic-lock-bot bot locked and limited conversation to collaborators Feb 14, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@JoostK JoostK JoostK left review comments

@jsgoupil jsgoupil jsgoupil left review comments

@mhevery mhevery mhevery approved these changes

@IgorMinar IgorMinar IgorMinar approved these changes

@jelbourn jelbourn jelbourn approved these changes

@zarend zarend zarend approved these changes

@jessicajaniuk jessicajaniuk jessicajaniuk approved these changes

Assignees
No one assigned
Labels
action: merge The PR is ready for merge by the caretaker area: core Issues related to the framework runtime area: security Issues related to built-in security features, such as HTML sanitation browser: safari cla: yes core: sanitization security Issues that generally impact framework or application security target: patch This PR is targeted for the next patch release
Projects
None yet
Milestone
Backlog
Development

Successfully merging this pull request may close these issues.

getInertBodyElement returns null, crashing in _sanitizeHtml
10 participants
@petebacondarwin @koto @jsgoupil @mhevery @JoostK @IgorMinar @jelbourn @zarend @jessicajaniuk @AndrewKushnir