AppleTV named as XSS-payloads trigger when AirPlay is used
authorgraouts@webkit.org <graouts@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 4 Oct 2019 10:57:43 +0000 (10:57 +0000)
committergraouts@webkit.org <graouts@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 4 Oct 2019 10:57:43 +0000 (10:57 +0000)
https://bugs.webkit.org/show_bug.cgi?id=202534
<rdar://55931262>

Reviewed by Eric Carlson.

Ensure we escape an AirPlay's device name before inserting its name into the DOM.

* Modules/modern-media-controls/media/placard-support.js:
(PlacardSupport.prototype._updateAirPlayPlacard):
(PlacardSupport):
(escapeHTML):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@250716 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebCore/ChangeLog
Source/WebCore/Modules/modern-media-controls/media/placard-support.js

index 624f9c0..bcb8c9c 100644 (file)
@@ -1,3 +1,18 @@
+2019-10-03  Antoine Quint  <graouts@apple.com>
+
+        AppleTV named as XSS-payloads trigger when AirPlay is used
+        https://bugs.webkit.org/show_bug.cgi?id=202534
+        <rdar://55931262>
+
+        Reviewed by Eric Carlson.
+
+        Ensure we escape an AirPlay's device name before inserting its name into the DOM.
+
+        * Modules/modern-media-controls/media/placard-support.js:
+        (PlacardSupport.prototype._updateAirPlayPlacard):
+        (PlacardSupport):
+        (escapeHTML):
+
 2019-10-04  Oriol Brufau  <obrufau@igalia.com>
 
         [css-grid] Preserve auto repeat() in getComputedStyle() for non-grids
index 799e00f..3e42175 100644 (file)
@@ -80,7 +80,7 @@ class PlacardSupport extends MediaControllerSupport
         
         switch(this.mediaController.host.externalDeviceType) {
             case 'airplay':
-                deviceName = UIString("This video is playing on ā€œ%sā€.", this.mediaController.host.externalDeviceDisplayName || UIString("Apple TV"));
+                deviceName = UIString("This video is playing on ā€œ%sā€.", escapeHTML(this.mediaController.host.externalDeviceDisplayName) || UIString("Apple TV"));
                 break;
             case 'tvout':
                 deviceName = UIString("This video is playing on the TV.");
@@ -90,3 +90,10 @@ class PlacardSupport extends MediaControllerSupport
     }
 
 }
+
+function escapeHTML(unsafeString)
+{
+    var div = document.createElement("div");
+    div.textContent = unsafeString;
+    return div.innerHTML;
+}