- From: <sird@rckc.at>
- Date: Tue, 15 Feb 2011 20:43:53 -0800
- To: Boris Zbarsky <bzbarsky@mit.edu>
- Cc: gaz Heyes <gazheyes@gmail.com>, public-web-security@w3.org
For what is worth.. if browser provide a safe way of creating a DOM like this.. one could simply traverse it and create a second fake DOM later on on top of that, or emulate a SAX parser. -- Eduardo On Tue, Feb 15, 2011 at 8:24 PM, sird@rckc.at <sird@rckc.at> wrote: >> What's the point of that? > Oh actually the idea is that you only create one iframe and they just > modify the innerHTML, so the CSP restrictions do apply. In this case > the scripts don't load for other reasons, being.. that they don't have > time to execute. I forgot that detail later on.. good for pointing > that out ;) > >> And one more thing. If you just want to have your HTML parsed in a context in which scripts won't execute, you can simply createDocument a document via the DOMImplementation and then set innerHTML in there... > because that's an XML parser. > > doc.childNodes[0].innerHTML="<img src=x onload=alert(1) onerror=alert(1)>" > NS_ERROR_DOM_SYNTAX_ERR on line 1: An invalid or illegal string was specified > > Greetz!! >
Received on Wednesday, 16 February 2011 04:44:47 UTC