Skip to content

Commit

Permalink
Update "Namespace Isolation" pattern description
Browse files Browse the repository at this point in the history
  • Loading branch information
ericcornelissen authored Nov 6, 2024
1 parent dd747e8 commit 3193859
Showing 1 changed file with 2 additions and 3 deletions.
5 changes: 2 additions & 3 deletions domc_wiki/indicators/patterns.md
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,6 @@ Properties of `document` can always be overwritten by DOM Clobbering, even immed

### Namespace Isolation

While robust sanitizers may remove [named properties](https://webidl.spec.whatwg.org/#dfn-support-named-properties), an alternative solution is to separate the namespace of variables defined by JavaScript code and named properties in user-generated markups. For example, the markdown to HTML converter of source code version control applications often prefix `id` and `name` attribute values of user-generated markup with a specific string. Motivated by this solution, one can monitor runtime changes in the DOM tree via the [MutationObserver API](https://developer.mozilla.org/en-US/docs/Web/API/MutationObserver), and prefix named properties of all dynamically inserted markups before adding them to the tree, which patches all aforementioned vulnerable patterns.


While robust sanitizers may remove [named properties](https://webidl.spec.whatwg.org/#dfn-support-named-properties), an alternative solution is to separate the namespace of variables defined by JavaScript code and named properties in user-generated markups. For example, the markdown to HTML converter of source code version control applications often prefix `id` and `name` attribute values of user-generated markup with a specific string. If you use [DOMPurify](https://cure53.de/purify) you can use the [`SANITIZE_NAMED_PROPS`](https://github.com/cure53/DOMPurify/pull/710) option to automatically namespace `id`s and `name`s.

Alternatively, one monitor runtime changes in the DOM tree via the [MutationObserver API](https://developer.mozilla.org/en-US/docs/Web/API/MutationObserver), and prefix named properties of all dynamically inserted markups before adding them to the tree like [@weizman/shield](https://weizmangal.com/shield/) does. This provides some protections provided you can ensure it is run first, but you need to be careful when dynamically inserting HTML because it can temporarily cause clobbering. Also, some newer `<iframe>`-based clobbering techniques might be able to sidestep it.

0 comments on commit 3193859

Please sign in to comment.