Re: A perfect DOM sandbox from gaz Heyes on 2011-02-17 (public-web-security@w3.org from February 2011)

From: gaz Heyes <gazheyes@gmail.com>
Date: Thu, 17 Feb 2011 11:19:55 +0000
To: Giorgio Maone <g.maone@informaction.com>
Cc: "sird@rckc.at" <sird@rckc.at>, Boris Zbarsky <bzbarsky@mit.edu>, public-web-security@w3.org
Message-ID: <AANLkTik533eXgLaYY1dhKmY_pDRdsxN736LNtuCTaAiu@mail.gmail.com>

On 16 February 2011 23:02, Giorgio Maone <g.maone@informaction.com> wrote:

> Actually impl.createHTMLDocument() returns a document including head and
> body elements, so you can just do
>
> body = document.implementation.createHTMLDocument().body;
>
> body.innerHTML = "<img src=x onload=alert(1) onerror=alert(1)>";
> alert(body.innerHTML);
>

This stuff is really nice and the ff4/3.6. How would you read the data back
in order to add it to the DOM? Since we can't trust innerHTML or DOM styles
:(

Received on Thursday, 17 February 2011 11:20:28 UTC