W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: A perfect DOM sandbox

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Tue, 15 Feb 2011 02:54:36 -0500
Message-ID: <4D5A313C.7050704@mit.edu>
To: "sird@rckc.at" <sird@rckc.at>
CC: gaz Heyes <gazheyes@gmail.com>, public-web-security@w3.org
On 2/15/11 2:40 AM, sird@rckc.at wrote:
>      if(navigator.userAgent.match(/Firefox/))
>          ifr.setAttribute("src","/xss.php?csp&plain_text");

What's the point of that?

>      try {
>          ifr.contentDocument.documentElement.innerHTML=src;

Given that you immediately do this?

(Let's ignore for the moment that matching on "Firefox" is totally the 
wrong way to detect Gecko and minor details like that.)

> parseHTML("<img src=/ onload=alert(1)
> onerror=alert(1)><script>alert(1)</script><iframe
> src=javascript:alert(1)></iframe><b>hello</b>").getElementsByTagName("b")[0].innerHTML;
> parseHTML("<xD/>").getElementsByTagName("*")[0].innerHTML="<img src=/
> onload=alert(1) onerror=alert(1)><script>alert(1)</script><iframe
> src=javascript:alert(1)></iframe>";

The fact that these don't execute in Gecko just has to do with the 
window being torn down before the async load events fire.

-Boris
Received on Tuesday, 15 February 2011 07:55:41 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 15 February 2011 07:55:41 GMT