REGRESSION: HTML injection vulnerability in dijit.Tree

[Nathan Toone]

To test, open dijit/tests/_data/countries.json and edit

name:'Africa'

to read

name:'Africa <font color="red">Hi</font>'

In 1.3, the HTML was properly escaped, however, in the 1.4 beta1, the HTML gets injected.

I'm classing this as a blocker, since it's a) a regression, and b) a security concern with many.

[Nathan Toone]

This broke in revision [20247]

[Nathan Toone]

Patch which fixes this issue

[Nathan Toone]

The above patch fixes this issue by allowing widgets to define "escapeHTML" on their attributeMap when innerHTML is the type. This may be an issue with other widgets, and in those cases, we'll need to add escapeHTML:true to their attribute maps as well.

[bill]

Good catch.

I think I'd like to call this "innerText", see #9000, rather than "innerHTML" w/an additional escaping flag.

[bill]

Note though that other widgets take HTML from dojo.data, see for example ComboBox (the custom label example in test_ComboBox.html, and also Button IIRC), so calling this a "regression" rather than a "bug fix" is just a matter of opinion.

[Nathan Toone]

My only reason for calling it a "regression" is that dijit.Tree "worked in 1.3"

[bill]

Yes, it worked in 1.3 It also works in 1.4. Unfortunately the API documentation doesn't specify whether labelAttr/store.getLabel() is supposed to be interpreted as HTML or plain text.

Anyway, I'll make it interpret the label as plain text.

[bill]

(In [20609]) Add innerText type for attributeMap (similar to innerHTML but for plain text), and use it for Tree labels, to match Tree's 1.3 behavior. Fixes #9000, #10128, refs #9230 !strict.