Skip to content

feature: sanitize the formaction attribute when allowlisted, like other URL attributes #202

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
flavorjones opened this issue Apr 9, 2025 · 0 comments
Open

feature: sanitize the formaction attribute when allowlisted, like other URL attributes #202

flavorjones opened this issue Apr 9, 2025 · 0 comments

Comments

@flavorjones
Copy link
Member

Originally reported by reported by @maitaii at https://hackerone.com/reports/3008446

When allowlisting the default-blocked form and button tags and the default-blocked formaction attribute, it's possible to inject scripting into the rendered HTML.

We do not consider this to be a vulnerability, since:

  • the application developer must explicitly change the sanitizer configuration to:
    • allow multiple blocked tags (form and button)
    • allow a blocked attribute (formaction)
  • it's not likely to be a common configuration

That said, if the developer has indeed taken advantage of the sharp knife that the API provides and explicitly allowed the form and button tags and the formaction attribute, it would be a good feature to scrub that attribute like we scrub other URL attributes.

Note: this sanitization feature will likely be implemented in Loofah.

References:
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@flavorjones