File tree Expand file tree Collapse file tree 1 file changed +21
-0
lines changed Expand file tree Collapse file tree 1 file changed +21
-0
lines changed Original file line number Diff line number Diff line change @@ -52551,6 +52551,27 @@ interface <dfn>HTMLLegendElement</dfn> : <span>HTMLElement</span> {
5255152551
5255252552 </div>
5255352553
52554+ <div class="note">
52555+ <p>DOM clobbering is a common cause of security issues. Avoid using the names of
52556+ built-in form properties with the <code data-x="attr-fe-name">name</code> content attribute.</p>
52557+
52558+ <p>In this example, the <code>input</code> element overrides the built-in <code
52559+ data-x="attr-fs-method">method</code> property:</p>
52560+
52561+ <pre>let form = document.createElement("form");
52562+ let input = document.createElement("input");
52563+ form.appendChild(input);
52564+
52565+ form.method; // => "get"
52566+ input.name = "method"; // DOM clobbering occurs here
52567+ form.method === input; // => true
52568+ </pre>
52569+
52570+ <p>Since the input name takes precedence over built-in form properties, the JavaScript reference
52571+ <code data-x="">form.method</code> will point to the <code>input</code> element named "method"
52572+ instead of the built-in <code data-x="attr-fs-method">method</code> property.</p>
52573+ </div>
52574+
5255452575
5255552576 <h5>Submitting element directionality: the <code data-x="attr-fe-dirname">dirname</code> attribute</h5>
5255652577
You can’t perform that action at this time.
0 commit comments