Skip to content
This repository has been archived by the owner on Feb 2, 2021. It is now read-only.

SecurityAdvisory20160128

Jump to bottom
Kevin Reid edited this page Jan 28, 2016 · 1 revision

Background

In certain cases, HTML elements can be “named” in ways which are reflected as properties of DOM nodes, possibly overriding the normal values of particular properties. Caja's DOM sandbox was not sufficiently aware of this, leading to exposing a host DOM node directly to the guest given HTML of the form

<form><input name="length"></form>

Impact and Advice

This is a complete breach of the Caja DOM sandbox. Applications of Caja which provide a DOM to the guest should immediately upgrade to Caja v6004 or later.

Applications of Caja which do not provide a DOM to the guest are not affected.

More Information

Discussion of the immediate fix may be found at:

Discussion of a more robust fix which interfered with <form> submit functionality and was therefore not applied may be found at:

Clone this wiki locally