Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Merging fixes covering nesting-based mXSS into 3.x branch #943

Merged
merged 15 commits into from
Apr 25, 2024
Merged

Merging fixes covering nesting-based mXSS into 3.x branch #943

merged 15 commits into from
Apr 25, 2024

Commits on Apr 16, 2024

  1. see #939 

    docs: Updated README to be more accurate for Trusted Types use cases
    @cure53
    cure53 committed Apr 16, 2024
    Configuration menu
    Copy the full SHA
    632f122 View commit details
    Browse the repository at this point in the history

Commits on Apr 23, 2024

  1. fix: Addressed a possible bypass issue caused by deep-nesting

    @cure53
    cure53 committed Apr 23, 2024
    Configuration menu
    Copy the full SHA
    c5369f2 View commit details
    Browse the repository at this point in the history

  2. fix: Changed the behavior of the nesting counter ever so slightly

    @cure53
    cure53 committed Apr 23, 2024
    Configuration menu
    Copy the full SHA
    c725ce0 View commit details
    Browse the repository at this point in the history

  3. fix: Fixed an off-by-one with the nesting counter causing over-saniti… 

    …zation
    @cure53
    cure53 committed Apr 23, 2024
    Configuration menu
    Copy the full SHA
    f051738 View commit details
    Browse the repository at this point in the history

Commits on Apr 24, 2024

  1. fix: Added __depth field to sanitized DOM nodes for better tracking 

    test: Added tests to cover possible nesting-based mXSS on Blink & Webkit
    @cure53
    cure53 committed Apr 24, 2024
    Configuration menu
    Copy the full SHA
    ce799c3 View commit details
    Browse the repository at this point in the history

  2. fix: Slightly changed the execution order for __depth tracking

    @cure53
    cure53 committed Apr 24, 2024
    Configuration menu
    Copy the full SHA
    81d963c View commit details
    Browse the repository at this point in the history

  3. fix: Added __depth tracking for ShadowDOM and template elements as well 

    fix: Set MAX_NESTING_DEPTH to 500 for good mesaure
test: Added more tests to cover template element depth tracking
    @cure53
    cure53 committed Apr 24, 2024
    Configuration menu
    Copy the full SHA
    4299c0a View commit details
    Browse the repository at this point in the history

  4. fix: Added experimental __depth increment for copied elements 

    test: Removed Firefox 60, added Firefox 125, Chrome 124
    @cure53
    cure53 committed Apr 24, 2024
    Configuration menu
    Copy the full SHA
    65d35b8 View commit details
    Browse the repository at this point in the history

  5. fix: Fixed a faulty edit and changed the code acccordingly

    @cure53
    cure53 committed Apr 24, 2024
    Configuration menu
    Copy the full SHA
    6dbc2bd View commit details
    Browse the repository at this point in the history

  6. fix: added __removalCount to account for nodes removed from parents w… 

    …hen calculating depth

test: added more nesting-based mXSS tests and clobbering tests for __removalCount
    @icesfont
    icesfont committed Apr 24, 2024
    Configuration menu
    Copy the full SHA
    813d065 View commit details
    Browse the repository at this point in the history

Commits on Apr 25, 2024

  1. Merge pull request #941 from icesfont/fix/deep-nesting-mxss 

    fix: added __removalCount to account for nodes removed from parents w…
    @cure53
    cure53 committed Apr 25, 2024
    Configuration menu
    Copy the full SHA
    1f494b9 View commit details
    Browse the repository at this point in the history

  2. chore: Re-generated dist versions

    @cure53
    cure53 committed Apr 25, 2024
    Configuration menu
    Copy the full SHA
    ef4bbb4 View commit details
    Browse the repository at this point in the history

  3. docs: correct hook name and remove misleading comment

    @kyselberg
    kyselberg committed Apr 25, 2024
    Configuration menu
    Copy the full SHA
    6e240ec View commit details
    Browse the repository at this point in the history

  4. docs: additional info in example

    @kyselberg
    kyselberg committed Apr 25, 2024
    Configuration menu
    Copy the full SHA
    2a554b4 View commit details
    Browse the repository at this point in the history

  5. Merge pull request #942 from kyselberg/main 

    docs(README.md): correct hook name in example and remove misleading comment
    @cure53
    cure53 committed Apr 25, 2024
    Configuration menu
    Copy the full SHA
    c0d418c View commit details
    Browse the repository at this point in the history