W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: A perfect DOM sandbox

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Tue, 15 Feb 2011 02:54:36 -0500
Message-ID: <4D5A313C.7050704@mit.edu>
To: "sird@rckc.at" <sird@rckc.at>
CC: gaz Heyes <gazheyes@gmail.com>, public-web-security@w3.org
On 2/15/11 2:40 AM, sird@rckc.at wrote:
>      if(navigator.userAgent.match(/Firefox/))
>          ifr.setAttribute("src","/xss.php?csp&plain_text");

What's the point of that?

>      try {
>          ifr.contentDocument.documentElement.innerHTML=src;

Given that you immediately do this?

(Let's ignore for the moment that matching on "Firefox" is totally the 
wrong way to detect Gecko and minor details like that.)

> parseHTML("<img src=/ onload=alert(1)
> onerror=alert(1)><script>alert(1)</script><iframe
> src=javascript:alert(1)></iframe><b>hello</b>").getElementsByTagName("b")[0].innerHTML;
> parseHTML("<xD/>").getElementsByTagName("*")[0].innerHTML="<img src=/
> onload=alert(1) onerror=alert(1)><script>alert(1)</script><iframe
> src=javascript:alert(1)></iframe>";

The fact that these don't execute in Gecko just has to do with the 
window being torn down before the async load events fire.

Received on Tuesday, 15 February 2011 07:55:41 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 15 February 2011 07:55:41 GMT