This can happen when the templating engine uses constructs that insert raw HTML into the document. While this approach is generally acceptable, care should be taken to avoid use of constructs that would allow the insertion of executable code.
Working with arbitrary stringsĪnother common pattern is to create a local HTML template for a page and use remote values to fill in the blanks. This article examines how to work safely with remote data and add it to a DOM.
This situation can leave a user's browser open to remote attack by enabling the website that injected the code to access critical user data, such as passwords, browser history, or browsing behavior. In the worst case, an embedded script could run in one of these contexts, a situation known as privilege escalation. You also need to remember that extensions have privileged contexts, for example in background scripts and content scripts. Therefore, care needs to be taken to avoid evaluating arbitrary text as HTML. If you were to extract the title, assume it was plain text, and add it to the DOM of a page created by your extension, your user now has an unknown script running in their browser. This could be something as simple as including JavaScript code within tags. So, it's possible the user could subscribe to a feed where, for example, a feed item's title includes a script. You don't know what RSS feeds your extension will open and have no control over the content of those RSS feeds. But, there is the risk that the source may have malicious scripts embedded in it-added by either the developer of the source or by a malicious third-party. There are times when you might want or need to include content from an external source in your extension. Differences between API implementations.
0 kommentar(er)
