W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: A perfect DOM sandbox

From: <sird@rckc.at>
Date: Tue, 15 Feb 2011 21:01:15 -0800
Message-ID: <AANLkTin7E1VJKbqVZOweHEYP5_NVMboyRVTG_8h2iXYf@mail.gmail.com>
To: Boris Zbarsky <bzbarsky@mit.edu>
Cc: gaz Heyes <gazheyes@gmail.com>, public-web-security@w3.org
Oh, now that I remember Firefox also executes event handles on
unappended nodes, so the parseHTML trick I used, doesn't work on
Firefox 3.6 anyways.. but that code was made like in 10 minutes, and
verified in browsers in like 5, so well..

I filed a bug about this a long time ago, and was marked as wontfix.

-- Eduardo

On Tue, Feb 15, 2011 at 8:43 PM, sird@rckc.at <sird@rckc.at> wrote:
> For what is worth.. if browser provide a safe way of creating a DOM
> like this.. one could simply traverse it and create a second fake DOM
> later on on top of that, or emulate a SAX parser.
> -- Eduardo
> On Tue, Feb 15, 2011 at 8:24 PM, sird@rckc.at <sird@rckc.at> wrote:
>>> What's the point of that?
>> Oh actually the idea is that you only create one iframe and they just
>> modify the innerHTML, so the CSP restrictions do apply. In this case
>> the scripts don't load for other reasons, being.. that they don't have
>> time to execute. I forgot that detail later on.. good for pointing
>> that out ;)
>>> And one more thing.  If you just want to have your HTML parsed in a context in which scripts won't execute, you can simply createDocument a document via the DOMImplementation and then set innerHTML in there...
>> because that's an XML parser.
>> doc.childNodes[0].innerHTML="<img src=x onload=alert(1) onerror=alert(1)>"
>> NS_ERROR_DOM_SYNTAX_ERR on line 1: An invalid or illegal string was specified
>> Greetz!!
Received on Wednesday, 16 February 2011 05:02:08 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:18 UTC