You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Feb 2, 2021. It is now read-only.
Kevin Reid edited this page Apr 16, 2015
·
1 revision
(legacy labels: Attack-Vector)
Reported by Gareth
Event handlers execute in a scope that binds globals to DOM Properties
Effect
A DOM node may be manipulated by global assignment in a way that could execute unsanitized javascript.
Background
DOM Level 2 defines event handlers to allow scripts to fire when an OS event occurs in the context of a node.
These handlers are typically snippets of javascript that execute in an environment that provides access to the event being handled, and bind this to the DOM node.
Some browsers also provide global bindings for DOM node fields.
Assumptions
DOM event handlers are allowed and execute in the normal scope and global assignment is allowed.