You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Feb 2, 2021. It is now read-only.
Kevin Reid edited this page Jun 6, 2019
·
1 revision
Background
When guest HTML contains an element that is not permitted by Caja's
whitelist, it is renamed to a custom element (e.g. <title> becomes
<caja-v-title>) so that it may exist in the DOM without having any of
the side effects of the original name. However, such renaming could
change how the text content of the element is parsed — in particular,
if the old name was a "raw text" or "CDATA" element in which the content
may contain < characters interpreted as text rather than markup. In
this case, the result of the renaming is that the HTML passed to the
browser contains unfiltered markup.
Impact and Advice
This is a complete breach of the Caja DOM sandbox. Applications of Caja
which provide a DOM to the guest should immediately upgrade to Caja
v6014 or later.
Applications of Caja which do not provide a DOM to the guest are not
affected.
Applications of the standalone html-sanitizer which utilize tag renaming
are also potentially affected and will be protected by the update.