W3C home > Mailing lists > Public > public-html@w3.org > January 2010

Re: XSS risk from iframe@doc?

From: Ian Hickson <ian@hixie.ch>
Date: Mon, 18 Jan 2010 05:56:02 +0000 (UTC)
To: Maciej Stachowiak <mjs@apple.com>
Cc: HTML WG <public-html@w3.org>
Message-ID: <Pine.LNX.4.64.1001180551000.3759@ps20323.dreamhostps.com>
On Sun, 17 Jan 2010, Maciej Stachowiak wrote:
> 
> Adam did specify "weak XSS filters". Even though filters based on 
> blacklisting instead of whitelisting are poor design, I suspect a lot of 
> sites still use them and therefore we might make existing sites more 
> vulnerable.

Yes, but we do so every time we invent a new event handler (e.g. 
onhashchange), content embedding mechanism (e.g. <video>), styling 
mechanism (e.g. <style scoped>), element with special styling or parsing 
rules (e.g. <ruby>), feature affecting the rendering (e.g. hidden=""), 
attribute affecting the UI (e.g. <input required>), etc etc etc.

I mean, pretty much any new feature in HTML5 can be be a problem for an 
XSS filter with a matching weakness. If we start being worried about this, 
we are likely to end up frozen in fear, unable to invent anything.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Monday, 18 January 2010 05:56:31 UTC

This archive was generated by hypermail 2.3.1 : Monday, 29 September 2014 09:39:12 UTC