html2canvas icon indicating copy to clipboard operation
html2canvas copied to clipboard
verified publisher icon niklasvh

Comply with Trusted Types

Open shhnjk opened this issue 4 years ago • 4 comments

Summary

html2canvas has Trusted Types violation due to use of document.write API which is considered a dangerous sink for XSS. This change fixes that and make html2canvas compatible with Trusted Types.

Fixes: #2858

Test plan (required)

Existing test should be sufficient as there is no change in the functionality. There should be a test to check for Trusted Types violation, but existing test.js has multiple Trusted Types violation, so I wasn't able to use that infra.

shhnjk avatar Feb 25 '22 01:02 shhnjk

@shhnjk , what about this fix - https://github.com/niklasvh/html2canvas/commit/ac3e5faafeb9ff359f3e8a0a583cded12fc9df0e - so that we avoid maintaining TT policy? Thanks.

tosmolka avatar Jul 04 '22 15:07 tosmolka

@tosmolka, have you checked if your solution actually picks up things like internalSlot or publicId from DocType? If that works, I think your solution is elegant :)

shhnjk avatar Jul 05 '22 00:07 shhnjk

@shhnjk , from my tests it works well with name, publicId and systemId (https://dom.spec.whatwg.org/#concept-doctype).

I don't think it works with internalSubset in newer browsers but that's expected as this property was deprecated and is no longer supported there.

tosmolka avatar Jul 11 '22 07:07 tosmolka

@niklasvh could you take a look? Thanks!

shhnjk avatar Jan 12 '23 17:01 shhnjk