gribse/achille-press
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Sanitize location.hash before passing it to getElementById

Browse source 
There is no actual vulnerability in the existing implementation, as we
can only fetch existing elements (no DOM injection is possible). Plus,
the only call occurring on those elements is `HTMLElement#focus`.

Consider this an extra, more future-proof precaution.
This commit is contained in:
Miguel Fonseca 2015-02-17 17:52:36 +00:00
parent 56bad5250d
commit dea243f2eb
1 changed files with 8 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

9
js/skip-link-focus-fix.js
View file

@ -5,7 +5,14 @@
if ( ( is_webkit || is_opera || is_ie ) && document.getElementById && window.addEventListener ) {
window.addEventListener( 'hashchange', function() {
var element = document.getElementById( location.hash.substring( 1 ) );
var id = location.hash.substring( 1 ),
element;
if ( ! /^[A-z0-9_-]+$/.test( id ) ) {
return;
}
element = document.getElementById( id );
if ( element ) {
if ( ! /^(?:a|select|input|button|textarea)$/i.test( element.tagName ) ) {