- From: <sird@rckc.at>
- Date: Thu, 17 Feb 2011 08:39:43 -0800
- To: gaz Heyes <gazheyes@gmail.com>
- Cc: Giorgio Maone <g.maone@informaction.com>, Boris Zbarsky <bzbarsky@mit.edu>, public-web-security@w3.org
yeah, reading innerHTML is dangerous in all browsers.. you need to do your own serializer.. which is hard, and can't be done with the tools in the html5 standard yet, since the information on the Nodes doesn't include the type of node (self close, cdata, etc..). however, I think that once you have a parser.. you can have a virtual DOM and if you want to apply the content, you can create the DOM manually.. no need to use innerHTML. That's how CAJA works. Greetz -- Eduardo On Thu, Feb 17, 2011 at 6:27 AM, gaz Heyes <gazheyes@gmail.com> wrote: > On 17 February 2011 13:59, Giorgio Maone <g.maone@informaction.com> wrote: >> >> What am I missing? (sorry if I'm actually missing anything obvious, since >> I'm late in this thread). >> -- G > > Basically in every browser (including FF) single DOM CSS rules become > multiple rules if you read the data back and assign it, innerHTML can > rewrite the HTML when it's modified and thus create malicious data from > perfectly fine valid data. >
Received on Thursday, 17 February 2011 16:53:15 UTC