Title: [High][view] bq-bind writes unsanitized values to URL/event-handler/srcdoc attributes (DOM-XSS) · Issue #164 · bQuery/bQuery · GitHub
Open Graph Title: [High][view] bq-bind writes unsanitized values to URL/event-handler/srcdoc attributes (DOM-XSS) · Issue #164 · bQuery/bQuery
X Title: [High][view] bq-bind writes unsanitized values to URL/event-handler/srcdoc attributes (DOM-XSS) · Issue #164 · bQuery/bQuery
Description: Severity: 🟠 High Location Client: src/view/directives/bind.ts:9-23 (sink at :18) SSR: src/ssr/renderer.ts:470-517 / src/ssr/render.ts (srcdoc variant) Description handleBind writes any attribute directly from runtime data with no protoco...
Open Graph Description: Severity: 🟠 High Location Client: src/view/directives/bind.ts:9-23 (sink at :18) SSR: src/ssr/renderer.ts:470-517 / src/ssr/render.ts (srcdoc variant) Description handleBind writes any attribute di...
X Description: Severity: 🟠 High Location Client: src/view/directives/bind.ts:9-23 (sink at :18) SSR: src/ssr/renderer.ts:470-517 / src/ssr/render.ts (srcdoc variant) Description handleBind writes any attribute di...
Opengraph URL: https://github.com/bQuery/bQuery/issues/164
X: @github
Domain: github.com
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"[High][view] bq-bind writes unsanitized values to URL/event-handler/srcdoc attributes (DOM-XSS)","articleBody":"## Severity: 🟠 High\n\n## Location\n- Client: [`src/view/directives/bind.ts:9-23`](../blob/main/src/view/directives/bind.ts#L9-L23) (sink at `:18`)\n- SSR: [`src/ssr/renderer.ts:470-517`](../blob/main/src/ssr/renderer.ts#L470-L517) / [`src/ssr/render.ts`](../blob/main/src/ssr/render.ts) (`srcdoc` variant)\n\n## Description\n`handleBind` writes any attribute directly from runtime data with **no protocol or attribute-name validation**:\n```ts\nel.setAttribute(attrName, String(value));\n```\nThe attribute *name* is template-controlled (trusted), but the *value* is runtime data — exactly the class the framework tells authors is safe to bind. This is inconsistent with `bq-html`, where `sanitizeHtml` blocks `javascript:` in `href`/`src`/`action`. `bq-bind` — the most common way to bind data to an attribute — has none of that.\n\nConcrete exploits, all with tainted data in the context signal:\n- `\u003ca bq-bind:href=\"link\"\u003e` with `link = \"javascript:alert(document.cookie)\"` → clickable script execution.\n- `\u003cimg bq-bind:src=\"u\"\u003e` / `\u003ciframe bq-bind:src=\"u\"\u003e` with a `javascript:`/`data:` URL.\n- `\u003cdiv bq-bind:onclick=\"h\"\u003e` with `h = \"alert(1)\"` → `setAttribute('onclick', …)` registers an inline handler.\n\n**SSR variant (`srcdoc`):** the SSR `bq-bind` implementation *does* block `on*` and validates a fixed URL-attribute list, but `srcdoc` on `\u003ciframe\u003e` is neither, and `\u003ciframe\u003e` is not stripped by the serializers. Attribute-encoding is insufficient because the browser decodes entities and parses `srcdoc` as a full HTML document:\n```\nInput: \u003ciframe bq-bind:srcdoc=\"msg\"\u003e\u003c/iframe\u003e msg = '\u003cscript\u003ealert(1)\u003c/script\u003e'\nOutput: \u003ciframe ... srcdoc=\"\u0026lt;script\u0026gt;alert(1)\u0026lt;/script\u0026gt;\"\u003e\u003c/iframe\u003e → executes\n```\n\n## Suggested fix\nIn `handleBind` (and the SSR equivalents), for URL-bearing attributes (`href`, `src`, `action`, `formaction`, `xlink:href`, `poster`, `background`, `srcset`) run the value through the security module's `isSafeUrl`/`isSafeSrcset` and drop it on failure; refuse (or warn on) `on*` attribute names; treat `srcdoc` as an HTML sink (drop, sanitize, or require explicit opt-in). Prefer an **allowlist** of bind-target attributes over a denylist, and reuse `src/security` rather than re-implementing.\n\n---\n_Filed as part of a full-codebase security \u0026 correctness audit._\n","author":{"url":"https://github.com/JosunLP","@type":"Person","name":"JosunLP"},"datePublished":"2026-07-05T17:02:46.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":0},"url":"https://github.com/164/bQuery/issues/164"}
| route-pattern | /_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format) |
| route-controller | voltron_issues_fragments |
| route-action | issue_layout |
| fetch-nonce | v2:d812b489-fed7-c8b6-8774-7f40450faafa |
| current-catalog-service-hash | 81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114 |
| request-id | EE32:38D8C:CE8450:11C4692:6A4DE877 |
| html-safe-nonce | 55c13e99d5bc9dc03d6dd2641ddae40f94c96aefb5e6f2fd0f4eee9d01c1af8c |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJFRTMyOjM4RDhDOkNFODQ1MDoxMUM0NjkyOjZBNERFODc3IiwidmlzaXRvcl9pZCI6IjY2MTk1ODAwNTcxMTAwNDY4MzkiLCJyZWdpb25fZWRnZSI6ImlhZCIsInJlZ2lvbl9yZW5kZXIiOiJpYWQifQ== |
| visitor-hmac | b22ce15e133153db011300242524304c9ada4302e72628a04d85ab53d3f0b30e |
| hovercard-subject-tag | issue:4813692744 |
| github-keyboard-shortcuts | repository,issues,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/bQuery/bQuery/164/issue_layout |
| twitter:image | https://opengraph.githubassets.com/ae351c58c617792cda07f37b1249821532edd3dbe27f6646c7b469ed60109bec/bQuery/bQuery/issues/164 |
| twitter:card | summary_large_image |
| og:image | https://opengraph.githubassets.com/ae351c58c617792cda07f37b1249821532edd3dbe27f6646c7b469ed60109bec/bQuery/bQuery/issues/164 |
| og:image:alt | Severity: 🟠 High Location Client: src/view/directives/bind.ts:9-23 (sink at :18) SSR: src/ssr/renderer.ts:470-517 / src/ssr/render.ts (srcdoc variant) Description handleBind writes any attribute di... |
| og:image:width | 1200 |
| og:image:height | 600 |
| og:site_name | GitHub |
| og:type | object |
| og:author:username | JosunLP |
| hostname | github.com |
| expected-hostname | github.com |
| None | 06b8a6144231bf3a234f1c2e9993861e07ce98a905912b114aa386c2d7e84b33 |
| turbo-cache-control | no-preview |
| go-import | github.com/bQuery/bQuery git https://github.com/bQuery/bQuery.git |
| octolytics-dimension-user_id | 256381806 |
| octolytics-dimension-user_login | bQuery |
| octolytics-dimension-repository_id | 1139284244 |
| octolytics-dimension-repository_nwo | bQuery/bQuery |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 1139284244 |
| octolytics-dimension-repository_network_root_nwo | bQuery/bQuery |
| turbo-body-classes | logged-out env-production page-responsive |
| disable-turbo | false |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | 1d344bdb7547fe6bca17a59bb2b8aac3dc9532a0 |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width