W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: A perfect DOM sandbox

From: gaz Heyes <gazheyes@gmail.com>
Date: Wed, 16 Feb 2011 20:49:13 +0000
Message-ID: <AANLkTikNNP1Nt880uPZp24fhsEd08L4BUhf=GBLkTs0z@mail.gmail.com>
To: Giorgio Maone <g.maone@informaction.com>
Cc: "sird@rckc.at" <sird@rckc.at>, Boris Zbarsky <bzbarsky@mit.edu>, public-web-security@w3.org
On 16 February 2011 11:30, Giorgio Maone <g.maone@informaction.com> wrote:

> Not necessarily.
>
> Try
>
> var doc = docImpl.createDocumentType("html", "", ""));
> var body = doc.createElement("body");
> body.innerHTML="<img src=x onload=alert(1) onerror=alert(1)>"
>
>
> NoScript uses tricks like these to take in account out fancy and forgiving
> HTML parsing in its XSS filter :)
>

I think the createElement bit is broken in firefox, when you assigned to
innerHTML it executes without assigning the doc to the dom.
Received on Wednesday, 16 February 2011 20:49:45 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 16 February 2011 20:49:47 GMT