Re: A perfect DOM sandbox from gaz Heyes on 2011-02-16 (public-web-security@w3.org from February 2011)

From: gaz Heyes <gazheyes@gmail.com>
Date: Wed, 16 Feb 2011 20:49:13 +0000
To: Giorgio Maone <g.maone@informaction.com>
Cc: "sird@rckc.at" <sird@rckc.at>, Boris Zbarsky <bzbarsky@mit.edu>, public-web-security@w3.org
Message-ID: <AANLkTikNNP1Nt880uPZp24fhsEd08L4BUhf=GBLkTs0z@mail.gmail.com>

On 16 February 2011 11:30, Giorgio Maone <g.maone@informaction.com> wrote:

> Not necessarily.
>
> Try
>
> var doc = docImpl.createDocumentType("html", "", ""));
> var body = doc.createElement("body");
> body.innerHTML="<img src=x onload=alert(1) onerror=alert(1)>"
>
>
> NoScript uses tricks like these to take in account out fancy and forgiving
> HTML parsing in its XSS filter :)
>

I think the createElement bit is broken in firefox, when you assigned to
innerHTML it executes without assigning the doc to the dom.

Received on Wednesday, 16 February 2011 20:49:45 UTC