W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: A perfect DOM sandbox

From: gaz Heyes <gazheyes@gmail.com>
Date: Thu, 17 Feb 2011 11:19:55 +0000
Message-ID: <AANLkTik533eXgLaYY1dhKmY_pDRdsxN736LNtuCTaAiu@mail.gmail.com>
To: Giorgio Maone <g.maone@informaction.com>
Cc: "sird@rckc.at" <sird@rckc.at>, Boris Zbarsky <bzbarsky@mit.edu>, public-web-security@w3.org
On 16 February 2011 23:02, Giorgio Maone <g.maone@informaction.com> wrote:

> Actually impl.createHTMLDocument() returns a document including head and
> body elements, so you can just do
>
> body = document.implementation.createHTMLDocument().body;
>
> body.innerHTML = "<img src=x onload=alert(1) onerror=alert(1)>";
> alert(body.innerHTML);
>

This stuff is really nice and the ff4/3.6. How would you read the data back
in order to add it to the DOM? Since we can't trust innerHTML or DOM styles
:(
Received on Thursday, 17 February 2011 11:20:28 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 17 February 2011 11:20:30 GMT