W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: A perfect DOM sandbox

From: Giorgio Maone <g.maone@informaction.com>
Date: Thu, 17 Feb 2011 14:59:32 +0100
Message-ID: <4D5D29C4.2030305@informaction.com>
To: gaz Heyes <gazheyes@gmail.com>
CC: "sird@rckc.at" <sird@rckc.at>, Boris Zbarsky <bzbarsky@mit.edu>, public-web-security@w3.org
> This stuff is really nice and the ff4/3.6. How would you read the data back 
> in order to add it to the DOM? Since we can't trust innerHTML or DOM styles :(

I'm not sure I understand your requirements.
Once the raw data is parsed, you've got a valid DOM which you can 
walk/filter/whatever by using the usual DOM / XPath stuff.
Even the innerHTML output is now rebuilt from the DOM and thus "normalized" 
(e.g. you get double quotes around every attribute, invalid characters inside 
tags are removed and so on).

What am I missing? (sorry if I'm actually missing anything obvious, since I'm 
late in this thread).
-- G

gaz Heyes wrote, On 17/02/2011 12.19:
> On 16 February 2011 23:02, Giorgio Maone <g.maone@informaction.com 
> <mailto:g.maone@informaction.com>> wrote:
>
>     Actually impl.createHTMLDocument() returns a document including head and
>     body elements, so you can just do
>
>     body = document.implementation.createHTMLDocument().body;
>
>     body.innerHTML = "<img src=x onload=alert(1) onerror=alert(1)>";
>     alert(body.innerHTML);
>
>
> This stuff is really nice and the ff4/3.6. How would you read the data back 
> in order to add it to the DOM? Since we can't trust innerHTML or DOM styles :(
Received on Thursday, 17 February 2011 14:12:05 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 17 February 2011 14:12:06 GMT