From b185b3c9eab0d9a033b973dcdd6d855d342bfe86 Mon Sep 17 00:00:00 2001
From: Joey Parrish <joeyparrish@google.com>
Date: Mon, 19 Jul 2021 14:12:49 -0700
Subject: [PATCH] fix: Make ARIA polyfill more robust

All the attributes listed in the polyfill already begin with "aria".
However, to add extra protection against the possibility of XSS
attacks through one of the polyfill's internal methods, this enforces
"aria-" at the beginning of the snake-case attribute name, even if
somehow "aria" were missing from the input JavaScript attribute name.

This change is based on the outcome of an internal security review.

Change-Id: Iec8a9cbd5f88fdf4b87da3e5cd058c4ffb69c3ff
---
 lib/polyfill/aria.js | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/lib/polyfill/aria.js b/lib/polyfill/aria.js
index 388c37a5f8..7517035c3e 100644
--- a/lib/polyfill/aria.js
+++ b/lib/polyfill/aria.js
@@ -48,7 +48,13 @@ shaka.polyfill.Aria = class {
    * @private
    */
   static addARIAMixinAttribute_(name) {
-    const snakeCaseName = name.toLowerCase().replace('aria', 'aria-');
+    const baseName = name.toLowerCase().replace(/^aria/, '');
+    // NOTE: All the attributes listed in the method above begin with "aria".
+    // However, to add extra protection against the possibility of XSS attacks
+    // through this method, this enforces "aria-" at the beginning of the
+    // snake-case name, even if somehow "aria" were missing from the input.
+    const snakeCaseName = `aria-${baseName}`;
+
     /* eslint-disable no-restricted-syntax */
     Object.defineProperty(Element.prototype, name, {
       get() {