I have noticed that the taint gets lost with btoa strings when using classes. Below is the code to reproduce it. Clientx and Clienty are marked as taint sources.
class SessionStorageManager {
constructor(storageKey) {
this.storageKey = storageKey;
this.storage = window.sessionStorage;
this.items = [];
}
get(key, factory) {
const newItem = factory(key);
this.items.push(newItem);
return newItem;
}
set() {
if (this.storage) {
const jsonString = JSON.stringify(this.items);
var encoded2=btoa(jsonString);
this.storage.setItem(this.storageKey, jsonString);
this.storage.setItem(this.storageKey, encoded2);
}
}
}
const storageManager = new SessionStorageManager('myAppData');
function itemFactory(key) {
return { key, data: "thing" };
}
document.addEventListener('click', keyHandler2);
function keyHandler2(e) {
const {clientX, clientY} = e;
const item1 = storageManager.get('item1', itemFactory);
item1.data=[clientX, clientY]
storageManager.set();
}When you click on the page, both the setItems will report the taint flows. But after the first click, every subsequent click will only report the setItem from the jsonString will report a taint flow, the encoded2 will not report the taint flow. This only happens to strings that have gone through the btoa builtin function (from what I can tell). This also happens only with classes (all different ways of creating classes) from what I can tell.
I have noticed that the taint gets lost with btoa strings when using classes. Below is the code to reproduce it. Clientx and Clienty are marked as taint sources.
When you click on the page, both the setItems will report the taint flows. But after the first click, every subsequent click will only report the setItem from the
jsonStringwill report a taint flow, theencoded2will not report the taint flow. This only happens to strings that have gone through the btoa builtin function (from what I can tell). This also happens only with classes (all different ways of creating classes) from what I can tell.