Re: [PR] Cordova-js: Event Listener Hijacking [cordova-js]

Tue, 06 Aug 2024 11:35:03 -0700 


breautek commented on code in PR #276:
URL: https://github.com/apache/cordova-js/pull/276#discussion_r1705951174


##########
src/cordova.js:
##########
@@ -43,6 +43,80 @@ var m_window_removeEventListener = 
window.removeEventListener;
 var documentEventHandlers = {};
 var windowEventHandlers = {};
 
+/**
+ * Mitigation for Event Listener Hijacking
+ */
+(function () {
+    var originalDocumentAddEventListener = document.addEventListener;
+    var originalWindowAddEventListener = window.addEventListener;
+    var documentEventHandlers = {};
+    var windowEventHandlers = {};
+
+    document.addEventListener = function (evt, handler, capture) {
+        var e = evt.toLowerCase();
+        if (typeof documentEventHandlers[e] !== 'undefined') {
+            if (typeof documentEventHandlers[e].subscribe === 'function') {
+                documentEventHandlers[e].subscribe(handler);
+            } else {
+                console.warn('No subscribe function defined for event:', e);
+            }
+        } else {
+            originalDocumentAddEventListener.call(document, evt, handler, 
capture);
+        }
+    };
+
+    window.addEventListener = function (evt, handler, capture) {
+        var e = evt.toLowerCase();
+        if (typeof windowEventHandlers[e] !== 'undefined') {
+            if (typeof windowEventHandlers[e].subscribe === 'function') {
+                windowEventHandlers[e].subscribe(handler);
+            } else {
+                console.warn('No subscribe function defined for event:', e);
+            }
+        } else {
+            originalWindowAddEventListener.call(window, evt, handler, capture);
+        }
+    };
+
+    // Securely define your event handlers
+    documentEventHandlers.click = {
+        subscribe: function (handler) {
+            var secureHandler = function (event) {
+                // Perform necessary checks or actions before invoking the 
handler
+                if (event && event.target) {
+                    var allowedElements = ['button', 'a', 'div'];
+                    if 
(allowedElements.indexOf(event.target.tagName.toLowerCase()) > -1) {
+                        handler(event);
+                    } else {
+                        console.warn('Click event handler ignored for 
disallowed element:', event.target.tagName);
+                    }

Review Comment:
   I don't believe we can do this restriction.
   
   To summarize 
https://github.com/apache/cordova-js/pull/276#discussion_r1705948690
   
   Standard browser behaviour allows click on all tags. Cordova cannot 
reasonably block or whitelist specific tags. There's some frameworks that is 
widely use that even allows users to use custom tags.
   
   So I think the `allowedElements` check needs to be removed.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@cordova.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@cordova.apache.org
For additional commands, e-mail: issues-h...@cordova.apache.org

Reply via email to