W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: A perfect DOM sandbox

From: <sird@rckc.at>
Date: Tue, 15 Feb 2011 20:24:10 -0800
Message-ID: <AANLkTinX400nwe=t32TpTQmR08dJ7mXa7jD9j15AUS9a@mail.gmail.com>
To: Boris Zbarsky <bzbarsky@mit.edu>
Cc: gaz Heyes <gazheyes@gmail.com>, public-web-security@w3.org
> What's the point of that?
Oh actually the idea is that you only create one iframe and they just
modify the innerHTML, so the CSP restrictions do apply. In this case
the scripts don't load for other reasons, being.. that they don't have
time to execute. I forgot that detail later on.. good for pointing
that out ;)

> And one more thing.  If you just want to have your HTML parsed in a context in which scripts won't execute, you can simply createDocument a document via the DOMImplementation and then set innerHTML in there...
because that's an XML parser.

doc.childNodes[0].innerHTML="<img src=x onload=alert(1) onerror=alert(1)>"
NS_ERROR_DOM_SYNTAX_ERR on line 1: An invalid or illegal string was specified

Greetz!!
Received on Wednesday, 16 February 2011 04:25:03 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 16 February 2011 04:25:04 GMT