fix(compiler): add mglyph src to security schema to prevent XSS#67113
fix(compiler): add mglyph src to security schema to prevent XSS#67113ZeroXJacks wants to merge 2 commits intoangular:mainfrom
Conversation
Added missing 'src' attribute for 'mglyph' to enhance security against XSS.
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
Added missing attribute 'mglyph|src' for security enhancement to prevent XSS.
| // =========== S T O P - S T O P - S T O P - S T O P - S T O P - S T O P =========== | ||
| // ================================================================================================= | ||
| // ================================================================================================= | ||
| // | ||
| // DO NOT EDIT THIS LIST OF SECURITY SENSITIVE PROPERTIES WITHOUT A SECURITY REVIEW! | ||
| // DO NOT EDIT THIS LIST OF SECURITY SENSITIVE PROPERTIES WITHOUT A SECURITY REVIEW! |
There was a problem hiding this comment.
Can you please revert the changes here.
|
Thanks for the PR, but |
|
Thank you for the quick review. While I understand that current mainstream browsers may not execute javascript: URIs via the mglyph[src] attribute, I believe its omission from the SECURITY_SCHEMA represents a Security Context Omission that contradicts Angular's "Secure by Default" architecture for the following reasons: Future Browser Changes: If a browser engine decides to unify the handling of src and href in MathML, Angular apps will be zero-day vulnerable because the framework explicitly "trusted" the attribute. Bypass of Developer Intent: When a developer uses [attr.src], they rely on Angular to be the first line of defense. The fact that javascript:alert(1) is rendered raw without the unsafe: prefix (unlike href) proves a failure in the framework's sanitization logic, regardless of the browser's final execution policy. Proof of Inconsistency (Unit Test): I request a re-review of this PR not as a fix for an immediate Chrome exploit, but as a necessary patch to ensure Sanitization Consistency and robust Defense in Depth within the compiler's security schema. Best regards, |
This PR adds the src attribute of the MathML mglyph element to the SECURITY_SCHEMA.
Problem: Currently, mglyph[src] is not mapped to any SecurityContext, causing it to default to SecurityContext.NONE. This allows an attacker to bypass Angular's DomSanitizer and execute arbitrary JavaScript using javascript: URIs.
Solution: By adding mglyph|src to the schema, Angular will correctly sanitize the attribute as a URL context, aligning it with how mglyph[href] and mglyph[xlink:href] are handled.