- From: Adam Barth <w3c@adambarth.com>
- Date: Sun, 17 Jan 2010 11:41:21 -0800
- To: HTML WG <public-html@w3.org>
Whenever we add a new syntax for executing script, there is some risk that web sites with weak XSS filters will mistakenly let attackers inject scripting using the new syntax. For example, a web site might let an attacker inject the following string: <iframe doc="<script>alert(1)</script>"> The risk from this injection vector is mitigated because a regexp-based XSS filter will likely block the @doc attribute from containing HTML that executes script. However, more advanced XSS filters that understand how to parse HTML attributes might let that string through. There area couple of options for resolving this issue: 1) Always give documents created with @doc a unique origin. This approach is consistent with the use case of using this attribute for untrusted content. 2) Change @doc from being an HTML attribute to being a DOM method. This approach also makes it impossible for authors to screw up the escaping. Adam
Received on Sunday, 17 January 2010 19:42:18 UTC