Sanitize location.hash before passing it to getElementById

There is no actual vulnerability in the existing implementation, as we
can only fetch existing elements (no DOM injection is possible). Plus,
the only call occurring on those elements is `HTMLElement#focus`.

Consider this an extra, more future-proof precaution.
This commit is contained in:
Miguel Fonseca 2015-02-17 17:52:36 +00:00
parent 56bad5250d
commit dea243f2eb
1 changed files with 8 additions and 1 deletions

View File

@ -5,7 +5,14 @@
if ( ( is_webkit || is_opera || is_ie ) && document.getElementById && window.addEventListener ) { if ( ( is_webkit || is_opera || is_ie ) && document.getElementById && window.addEventListener ) {
window.addEventListener( 'hashchange', function() { window.addEventListener( 'hashchange', function() {
var element = document.getElementById( location.hash.substring( 1 ) ); var id = location.hash.substring( 1 ),
element;
if ( ! /^[A-z0-9_-]+$/.test( id ) ) {
return;
}
element = document.getElementById( id );
if ( element ) { if ( element ) {
if ( ! /^(?:a|select|input|button|textarea)$/i.test( element.tagName ) ) { if ( ! /^(?:a|select|input|button|textarea)$/i.test( element.tagName ) ) {