Skip to content

cleanup: set style using CSS #2666

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
stephanwlee merged 1 commit into from
Sep 18, 2019
Merged

cleanup: set style using CSS #2666

stephanwlee merged 1 commit into from
Sep 18, 2019

Conversation

@stephanwlee
Copy link
Contributor

@stephanwlee stephanwlee commented Sep 18, 2019

Setting the style manually generally is not recommended as it can
contain JavaScript invoking CSS.

@stephanwlee
cleanup: set style using CSS
0696f48 
Setting the style manually generally is not recommended as it can
contain JavaScript invoking CSS.
wchargin
wchargin approved these changes Sep 18, 2019
View reviewed changes
Copy link
Contributor

@wchargin wchargin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this attack vector relevant in modern browsers? I looked into this
briefly a bit ago and the closest I could find was that if you can
insert arbitrary CSS then you can cause arbitrary GET requests via CSS
imports, but I didn’t see any way to actually invoke JS.

(Approval in any case, as this is nicer anyway.)

@stephanwlee
Copy link
Contributor Author

stephanwlee commented Sep 18, 2019

Is this attack vector relevant in modern browsers?

Not that I know of but polymer-resin (https://github.com/Polymer/polymer-resin) hates it. As usual, I won't say I understand why/how it decides to hate it but I was able to witness the hatred thru an experiment. It reads something like

Failed to sanitize attribute of <vz-line-chart2>: <vz-line-chart2 style="opacity: 0.3;">

@wchargin
Copy link
Contributor

wchargin commented Sep 18, 2019

Cool (I inferred as much from the branch name :-) ). If you do find a
proof-of-concept snippet for this vector, I’d love to see it.

@psybuzz
Copy link
Contributor

psybuzz commented Sep 18, 2019

Nice! I have a style question: do we prefer "data-" attributes instead of classnames?

@stephanwlee
Copy link
Contributor Author

stephanwlee commented Sep 18, 2019

do we prefer "data-" attributes instead of classnames

There is no policy but reflection to attribute is too darn easy for boolean ones. It is a lot more cumbersome to do something like https://www.npmjs.com/package/classnames. Also, not sure if this is relevant, but especially because styles are scoped per shadow DOM, such attributes do not tend to bite you in bad ways.

@stephanwlee stephanwlee merged commit ef51bc4 into tensorflow:master Sep 18, 2019
@stephanwlee stephanwlee deleted the resin branch September 18, 2019 14:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@wchargin wchargin wchargin approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

cla: yes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@stephanwlee @wchargin @psybuzz @googlebot