From 32de16a0c3377dd52e3eb2db59b4d2658b91c5dd Mon Sep 17 00:00:00 2001 From: Daniel Vogelheim Date: Fri, 12 Apr 2024 15:29:28 +0200 Subject: [PATCH] Review feedback - Check basic URL parser for failure. - Use colon to designate javascript: scheme. --- index.bs | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/index.bs b/index.bs index 2de933c..5ab8dd2 100644 --- a/index.bs +++ b/index.bs @@ -326,11 +326,11 @@ For the main sanitize operation, using a {{ParentNode}} |node|, a 1. Then [=remove an attribute|remove=] |attr|. 1. If the [=navigating URL attributes list=] [=SanitizerConfig/contains=] «[|elementName|, |attrName|]» and |attr| - [=contains a javascript URL=]: + [=contains a javascript: URL=]: 1. Then [=remove an attribute|remove=] |attr|. 1. If |child|'s [=Element/namespace=] [=string/is=] the [=MathML Namespace=] and |attr|'s [=Attr/local name=] [=string/is=] - "`href`" and |attr| [=contains a javascript URL=]: + "`href`" and |attr| [=contains a javascript: URL=]: 1. Then [=remove an attribute|remove=] |attr|. 1. If the [=animating URL attributes list=] [=SanitizerConfig/contains=] «[|elementName|, |attrName|]» and |attr|'s @@ -344,9 +344,9 @@ For the main sanitize operation, using a {{ParentNode}} |node|, a
-Note: Current browsers support `javascript` URLs +Note: Current browsers support `javascript:` URLs only when navigating. Since navigation itself is not an XSS threat we treat -navigation to `javascript` URLs, but not navigations in general. +navigation to `javascript:` URLs, but not navigations in general. Declarative navigation falls into a handful of categories: @@ -364,11 +364,13 @@ to cover a "per-namespace global" rule. The animation case is covered by the
-To determine whether an |attribute| contains a javascript URL, do this: +To determine whether an |attribute| contains a javascript: URL, do this: 1. Let |url| be the result of running the [=basic URL parser=] on |attribute|'s [=get an attribute value|value=]. -1. Return whether |url|'s [=url/scheme=] [=string/is=] "`javascript`". +1. Let |contains javascript: url| be: + |url| is not `failure` and |url|'s [=url/scheme=] [=string/is=] "`javascript`". +1. Return |contains javascript: url|.