How to bind a javascript href and bypass XSS unsafe protection?

andruby · March 11, 2015, 10:00am

Hi,

I need to bind a javascript payload to an <a href={{bookmarklet_url}}> element. The bookmarklet_url is generated through a computed property and is safe from user inputs.

Ember added protection against this type of XSS in 1.9.1 which add “unsafe:” to the href. We were able bypass the protection with {{unbound bookmarklet_url}}.

We’ve moved to Ember v1.11.0 beta’s and our workaround no longer works. How can I bypass the XSS protection?

Thanks, Andrew

Balu · March 29, 2016, 8:03am

Hi, In Ember 1.11.0 version the Ember team has introduced bound attribute syntax feature. So we don’t need to escape/bypass any of the inputs. Ember does this for you by default.

For better understanding please refer to: Ember.js 1.11.0 and 1.12 Beta Released

Topic		Replies	Views
Not vulnerable to XSS fast markdown library	4	2237	June 26, 2015
Unsafe protocol in the embed tag	3	1444	March 22, 2016
Binding style attributes warning still popping up with safe string	12	7118	December 30, 2015
Escape html manually with ember built-in function? Questions	2	1418	November 29, 2019
Embed tag src attribute prepends unsafe: in ember js	1	958	May 1, 2019

How to bind a javascript href and bypass XSS unsafe protection?

Related topics