Impact
The validation logic that exists in dart:html for creating DOM nodes from text (String instances) missed a potential vulnerability when the HTML text contained templates. The validation logic would reset a flag that indicated that the text was sanitized when it came across template tags, enabling XSS attacks to use DOM clobbering for nodes occurring after a template tag.
Affected APIs and more information on how NodeValidator is used to prevent attacks can be found in the previous security advisory: XSS vulnerability in dart:html
All Dart SDK releases including and before 2.12.2 and 2.14.0-2.0.dev are affected.
Patches
If you're using a stable release of Dart, version 2.12.3 or later contains changes that address this vulnerability.
If you're using a dev release of Dart, version 2.14.0-3.0.dev or later contains these changes.
Workarounds
Please see the related security advisory above for workarounds if you cannot update the Dart SDK.
References
An article on DOM clobbering.
For more information
See our community page to find ways to contact the team.
Thanks
Thanks to Vincenzo di Cicco for finding and reporting this additional vulnerability.
0xNaN Analyst
Impact
The validation logic that exists in dart:html for creating DOM nodes from text (String instances) missed a potential vulnerability when the HTML text contained templates. The validation logic would reset a flag that indicated that the text was sanitized when it came across template tags, enabling XSS attacks to use DOM clobbering for nodes occurring after a template tag.
Affected APIs and more information on how NodeValidator is used to prevent attacks can be found in the previous security advisory: XSS vulnerability in dart:html
All Dart SDK releases including and before 2.12.2 and 2.14.0-2.0.dev are affected.
Patches
If you're using a stable release of Dart, version 2.12.3 or later contains changes that address this vulnerability.
If you're using a dev release of Dart, version 2.14.0-3.0.dev or later contains these changes.
Workarounds
Please see the related security advisory above for workarounds if you cannot update the Dart SDK.
References
An article on DOM clobbering.
For more information
See our community page to find ways to contact the team.
Thanks
Thanks to Vincenzo di Cicco for finding and reporting this additional vulnerability.