W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: A perfect DOM sandbox

From: <sird@rckc.at>
Date: Wed, 16 Feb 2011 11:55:19 -0800
Message-ID: <AANLkTikXqvoH=0Dai6fTxkJ9E3KJ9VNdHMmyxkUGNhjj@mail.gmail.com>
To: Giorgio Maone <g.maone@informaction.com>
Cc: Boris Zbarsky <bzbarsky@mit.edu>, gaz Heyes <gazheyes@gmail.com>, public-web-security@w3.org
Wow, nice.

If that's the case, then what gareth needs, and I've been trying to do
can be easily achieved on top of that I guess, I'll make some tests

I'm trying to think if there's anything else missing..

Greetz!
-- Eduardo




On Wed, Feb 16, 2011 at 3:30 AM, Giorgio Maone <g.maone@informaction.com> wrote:
> sird@rckc.at wrote, On 16/02/2011 5.24:
>>
>>> And one more thing.  If you just want to have your HTML parsed in a
>>> context in which scripts won't execute, you can simply createDocument a
>>> document via the DOMImplementation and then set innerHTML in there...
>>
>> because that's an XML parser.
>> doc.childNodes[0].innerHTML="<img src=x onload=alert(1) onerror=alert(1)>"
>> NS_ERROR_DOM_SYNTAX_ERR on line 1: An invalid or illegal string was
>> specified
>
> Not necessarily.
>
> Try
>
> var doc = docImpl.createDocumentType("html", "", ""));
> var body = doc.createElement("body");
> body.innerHTML="<img src=x onload=alert(1) onerror=alert(1)>"
>
>
> NoScript uses tricks like these to take in account out fancy and forgiving
> HTML parsing in its XSS filter :)
>
> Cheers
> -- G
>
Received on Wednesday, 16 February 2011 19:56:13 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 16 February 2011 19:56:14 GMT