Amphtml: amp-mustache: "alert(1)" popup on Opera Mini

Created on 19 Dec 2018  路  10Comments  路  Source: ampproject/amphtml

What's the issue?

When opening any AMP page in opera mini, you are confronted on page load with an alert - javascript alert: 1

img_1439
img_1438

How do we reproduce the issue?

Go to any AMP page (I tried news publishers) in opera mini (opera mini proper, not opera turbo) and load any AMP page. The JS alert box seems to appear immediately and doesn't provide any context to the user.

What browsers are affected?

Tested on opera mini on iOS

When Possible Bug runtime
Source
picture eagerterrier

Most helpful comment

I suspect this in amp-bind-0.1.max.js

if (DOMPurify.isSupported) {
    (function () {
      try {
        var doc = _initDocument('<svg><p><style><img src="</style><img src=x onerror=alert(1)//">');

        if (doc.querySelector('svg img')) {
          useDOMParser = true;
        }
      } catch (err) {}
    })();
picture jpettitt on 19 Dec 2018
👍2 🎉1

All 10 comments

I can repro on some AMP pages on Oepra Mini iOS after switching Turbo off. (Note Opera Touch and Android Opera is fine. Also note Opera Mino is not available on Apple US store, have to switch country to download)

Not sure what it is, dos not happen on pages from cache or viewer, only when hit directly. Some AMP First sites like ampproject.org and ampbyexample.com are fine but tasty.co isn't.

aghassemi picture aghassemi on 19 Dec 2018

no sure where this falls, /cc @choumx

aghassemi picture aghassemi on 19 Dec 2018

I suspect this in amp-bind-0.1.max.js

if (DOMPurify.isSupported) {
    (function () {
      try {
        var doc = _initDocument('<svg><p><style><img src="</style><img src=x onerror=alert(1)//">');

        if (doc.querySelector('svg img')) {
          useDOMParser = true;
        }
      } catch (err) {}
    })();
jpettitt picture jpettitt on 19 Dec 2018
👍2 🎉1

@jpettitt nice find. I can confirm ampbyexample page for amp-bind throws the alert

aghassemi picture aghassemi on 20 Dec 2018

@aghassemi all I did was grep for alert(1) in the dist files :-)

jpettitt picture jpettitt on 20 Dec 2018

DOMpurify is a 3P, maybe we need to upgrade or patch it. @choumx we patch web-animations 3P in build files with regex hacks, same may work here too

aghassemi picture aghassemi on 20 Dec 2018

I can file this upstream with DOMPurify. Thanks for the investigation.

choumx picture choumx on 20 Dec 2018

This issue doesn't have a category which makes it harder for us to keep track of it. @choumx Please add an appropriate category.

ampprojectbot picture ampprojectbot on 9 Jan 2019

Tracked in DOMPurify: https://github.com/cure53/DOMPurify/issues/312

Just need to upgrade past the patch to fix it AMP.

choumx picture choumx on 9 Jan 2019

@choumx Great news: DomPurify seem to have done their bit!

eagerterrier picture eagerterrier on 15 Jan 2019
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

gmajoulet picture gmajoulet  路  3Comments
choumx picture choumx  路  3Comments
edhollinghurst picture edhollinghurst  路  3Comments
westonruter picture westonruter  路  3Comments
samanthamorco picture samanthamorco  路  3Comments