forked from mirror/_s
Sanitize location.hash before passing it to getElementById
There is no actual vulnerability in the existing implementation, as we can only fetch existing elements (no DOM injection is possible). Plus, the only call occurring on those elements is `HTMLElement#focus`. Consider this an extra, more future-proof precaution.
This commit is contained in:
parent
56bad5250d
commit
dea243f2eb
|
@ -5,7 +5,14 @@
|
||||||
|
|
||||||
if ( ( is_webkit || is_opera || is_ie ) && document.getElementById && window.addEventListener ) {
|
if ( ( is_webkit || is_opera || is_ie ) && document.getElementById && window.addEventListener ) {
|
||||||
window.addEventListener( 'hashchange', function() {
|
window.addEventListener( 'hashchange', function() {
|
||||||
var element = document.getElementById( location.hash.substring( 1 ) );
|
var id = location.hash.substring( 1 ),
|
||||||
|
element;
|
||||||
|
|
||||||
|
if ( ! /^[A-z0-9_-]+$/.test( id ) ) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
element = document.getElementById( id );
|
||||||
|
|
||||||
if ( element ) {
|
if ( element ) {
|
||||||
if ( ! /^(?:a|select|input|button|textarea)$/i.test( element.tagName ) ) {
|
if ( ! /^(?:a|select|input|button|textarea)$/i.test( element.tagName ) ) {
|
||||||
|
|
Reference in New Issue