W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: A perfect DOM sandbox

From: <sird@rckc.at>
Date: Tue, 15 Feb 2011 20:43:53 -0800
Message-ID: <AANLkTi=y8826geoH7kJ+0AuT1CCV017cfWd40EK0DOdX@mail.gmail.com>
To: Boris Zbarsky <bzbarsky@mit.edu>
Cc: gaz Heyes <gazheyes@gmail.com>, public-web-security@w3.org
For what is worth.. if browser provide a safe way of creating a DOM
like this.. one could simply traverse it and create a second fake DOM
later on on top of that, or emulate a SAX parser.
-- Eduardo

On Tue, Feb 15, 2011 at 8:24 PM, sird@rckc.at <sird@rckc.at> wrote:
>> What's the point of that?
> Oh actually the idea is that you only create one iframe and they just
> modify the innerHTML, so the CSP restrictions do apply. In this case
> the scripts don't load for other reasons, being.. that they don't have
> time to execute. I forgot that detail later on.. good for pointing
> that out ;)
>> And one more thing.  If you just want to have your HTML parsed in a context in which scripts won't execute, you can simply createDocument a document via the DOMImplementation and then set innerHTML in there...
> because that's an XML parser.
> doc.childNodes[0].innerHTML="<img src=x onload=alert(1) onerror=alert(1)>"
> NS_ERROR_DOM_SYNTAX_ERR on line 1: An invalid or illegal string was specified
> Greetz!!
Received on Wednesday, 16 February 2011 04:44:47 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:18 UTC