W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: A perfect DOM sandbox

From: Giorgio Maone <g.maone@informaction.com>
Date: Thu, 17 Feb 2011 00:02:20 +0100
Message-ID: <4D5C577C.9070607@informaction.com>
To: gaz Heyes <gazheyes@gmail.com>
CC: "sird@rckc.at" <sird@rckc.at>, Boris Zbarsky <bzbarsky@mit.edu>, public-web-security@w3.org
Actually impl.createHTMLDocument() returns a document including head and body 
elements, so you can just do

body = document.implementation.createHTMLDocument().body;
body.innerHTML = "<img src=x onload=alert(1) onerror=alert(1)>";
alert(body.innerHTML);

Cheers
-- G

Giorgio Maone wrote, On 16/02/2011 23.40:
> gaz Heyes wrote, On 16/02/2011 21.49:
>>
>> I think the createElement bit is broken in firefox, when you assigned to 
>> innerHTML it executes without assigning the doc to the dom.
> Damn copy & paste, I messed almost everything :)
>
> This one works on Firefox 4 and Chrome:
>
> var impl = document.implementation;
> var doc = impl.createHTMLDocument("");
> var body = doc.createElement("body");
> body.innerHTML = "<img src=x onload=alert(1) onerror=alert(1)>";
> alert(body.innerHTML);
>
>
> This one is slightly more complex but works on Fx 3.6 as well 
> (createHTMLDocument has been introduced in Gecko 2.0):
>
> var impl = document.implementation;
> var doc = impl.createDocument(
>       "http://www.w3.org/1999/xhtml", "html", impl.createDocumentType(
>         "html", "-//W3C//DTD HTML 4.01 Transitional//EN", 
> "http://www.w3.org/TR/html4/loose.dtd"
>       ));
> var body = doc.createElement("body");
> body.innerHTML = "<img src=x onload=alert(1) onerror=alert(1)>";
> alert(body.innerHTML);
>
>
> Cheers
> -- G
>
>
>
>
>
Received on Wednesday, 16 February 2011 23:05:06 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 16 February 2011 23:05:07 GMT