This bothers me slightly in the context of End-to-End tainting, but it is probably a more general issue. As we can now taint through the HTML parser, the question is, how do we report that tainted data ends up in the HTML parser?
We have to differentiate between DOMParser.parseFromString() and the "real" HTML parser here, complicating things further.
We could simply report any tainted string going into the HTML parser, or try to be more "precise", i.e., if tainted data is used to parse a tag, but then the question is does the same hold for an attribute key, value, a comment, etc..?
This bothers me slightly in the context of End-to-End tainting, but it is probably a more general issue. As we can now taint through the HTML parser, the question is, how do we report that tainted data ends up in the HTML parser?
We have to differentiate between
DOMParser.parseFromString()and the "real" HTML parser here, complicating things further.We could simply report any tainted string going into the HTML parser, or try to be more "precise", i.e., if tainted data is used to parse a tag, but then the question is does the same hold for an attribute key, value, a comment, etc..?