- From: Philip Taylor <pjt47@cam.ac.uk>
- Date: Sun, 17 Jan 2010 20:57:40 +0000
- To: Ian Hickson <ian@hixie.ch>
- CC: Adam Barth <w3c@adambarth.com>, HTML WG <public-html@w3.org>
Ian Hickson wrote: > On Sun, 17 Jan 2010, Adam Barth wrote: >> Whenever we add a new syntax for executing script, there is some risk >> that web sites with weak XSS filters will mistakenly let attackers >> inject scripting using the new syntax. For example, a web site might >> let an attacker inject the following string: >> >> <iframe doc="<script>alert(1)</script>"> >> >> [...] > > doc="" is only meant to be used with sandbox="". I can just make it not do > anything at all if sandbox="" isn't specified, if that helps. An XSS filter that lets the user give a doc attribute will let the user give a sandbox attribute too, i.e. they can write <iframe doc="<script>alert(1)</script>" sandbox="allow-scripts"> So as far as I can see, making it do nothing when there's no sandbox attribute doesn't help. -- Philip Taylor pjt47@cam.ac.uk
Received on Sunday, 17 January 2010 20:58:11 UTC