W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: A perfect DOM sandbox

From: gaz Heyes <gazheyes@gmail.com>
Date: Tue, 15 Feb 2011 10:12:51 +0000
Message-ID: <AANLkTik5C+FfKKGRjw+UGrud8HE0kWOTJ11yfZUUCHVa@mail.gmail.com>
To: "sird@rckc.at" <sird@rckc.at>
Cc: public-web-security@w3.org
On 15 February 2011 07:40, sird@rckc.at <sird@rckc.at> wrote:

> Try this function, does it meet your needs? (try it on
> http://0x.lv/shell.html). Works on FF 4, IE 6/7/8, Safari, Opera and
> Chrome.. though, I haven't really tested how safe it is :) it just seems to
> work.
>
> Worth noting that it returns a HTMLNodeElement belonging to a deleted
> document, with no Window associated with it.. which means that it's
> ownerDocument may be null in some browsers, and you can't appendNode
> (because you need to importNode first).
>
> Either way, it shouldn't execute stuff if you play with it.. oh also, you
> probably want to modify the iframe's <base href>.
>

How would you set the data back? For example <div style=color:#fff>, how
would you now render that once you have the node?
I'd say the problem with this approach is that it relies on there being no
execution once you import the node back and that when you set the to render
you actually get the result you intended. My original point was it's
perfectly valid to create a DOM sandbox if you account for the "quirks" but
you can't be 100% certain it's secure.
Received on Tuesday, 15 February 2011 10:13:23 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 15 February 2011 10:13:23 GMT