Security: Mitigate DOM-based XSS in resolveUrl and inner-h-t-m-l bindings

[JoshuaProvoste]

Polymer Security Patch: DOM-based XSS Hardening

Compliance with Contribution Guidelines (CONTRIBUTING.md)

This Pull Request has been prepared in strict accordance with the official Polymer project requirements:

• Linked to Open Issue: Officially linked to Polymer/polymer#5752.
• Unit Tests Included: Included test/unit/security.html with coverage for the new attack vectors.
• Coding Style: Complies with the JavaScript Style Guidelines of the project and Google.
• Branching Strategy: Development performed in the independent branch fix/dom-based-xss-vulnerabilities.
• CLA Signature: Ready for validation by the Google CLA-bot.
• Reproduction Steps: Detailed in the PR description to facilitate audit by maintainers.

poc.html

poc.html

---

Description

This PR addresses two critical DOM-based Cross-Site Scripting (XSS) vectors identified in the Polymer core library. These vulnerabilities allow attackers to execute arbitrary JavaScript through dynamically resolved URLs and unsanitized property bindings to inner-h-t-m-l.

Identified Issues

1. Insecure URL Resolution (resolveUrl): The ABS_URL regex was overly permissive, allowing executable protocols like javascript:, data:, and vbscript: to be returned as-is during URL resolution.
2. Unsanitized HTML Bindings (innerHTML): Bindings to the inner-h-t-m-l attribute (normalized to innerHTML) were not sanitized by default when a global sanitizeDOMValue hook was absent, leading to direct script and event-handler injection.

Changes Implemented

• lib/utils/resolve-url.js:
  • Added a robust protocol whitelist check (http, https, mailto, tel).
  • Implemented a fallback to about:blank for unsafe schemes (javascript:, data:, vbscript:) to prevent malicious execution while maintaining compatibility for safe absolute/relative URLs.
• lib/mixins/property-effects.js:
  • Introduced a "secure-by-default" logic in applyBindingValue targets.
  • Automatically sanitizes dynamic values bound to inner-h-t-m-l or innerHTML by stripping <script> blocks and prefixing on* event handlers (e.g., onerror becomes sanitized-error).
• test/unit/security.html:
  • [NEW] Added a comprehensive security test suite containing 5 unit tests to verify the fixes and prevent regressions across the affected components.

Supplementary Tooling

To aid developers in identifying and preventing these vulnerabilities in their own Polymer applications, a dedicated ESLint plugin has been developed:

• GitHub Repository: JoshuaProvoste/eslint-plugin-polymer-security
• NPM Package: eslint-plugin-polymer-security

Verification Results

Tests were performed using the official Web Component Tester (WCT) runner and manual browser verification:

• resolveUrl Tests: 4/4 PASS (Verified blocking of javascript: and permission of https://).
• innerHTML Tests: 1/1 PASS (Verified neutralization of onerror handlers).

Compliance & Guidelines

• All tests pass (npm test).
• Adheres to Polymer coding style.
• Security test suite included.
• Verified that no existing functionality for legitimate URL resolution is broken.

Breaking Changes / Compatibility

While this change introduces default sanitization for inner-h-t-m-l, it acts as a defensive layer. For users who require full HTML control, the existing Polymer.sanitizeDOMValue hook remains the recommended mechanism and will override these defaults if configured.

[JoshuaProvoste]

Recommendation: Since Polymer is in a "stability" state and has been officially succeeded by Lit, and following the project's philosophy that "template authors are trusted," additionally I recommend implementing documentation improvements that explicitly warn about the security risks identified in both URL resolution and inner-h-t-m-l bindings.

Furthermore, including console warnings to guide developers toward proper mitigation -such as utilizing sanitizeDOMValue for data bindings and ensuring strict protocol validation for resolved URLs- would fulfill the responsibility of informing developers about security risks inherent to the framework's design.

Best,
@JoshuaProvoste