W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: A perfect DOM sandbox

From: <sird@rckc.at>
Date: Thu, 17 Feb 2011 08:39:43 -0800
Message-ID: <AANLkTinLVm7AJfpz+oGo+Jxsq0srAJ4KjsM3ekCtiv8i@mail.gmail.com>
To: gaz Heyes <gazheyes@gmail.com>
Cc: Giorgio Maone <g.maone@informaction.com>, Boris Zbarsky <bzbarsky@mit.edu>, public-web-security@w3.org
yeah, reading innerHTML is dangerous in all browsers.. you need to do
your own serializer.. which is hard, and can't be done  with the tools
in the html5 standard yet, since the information on the Nodes doesn't
include the type of node (self close, cdata, etc..).

however, I think that once you have a parser.. you can have a virtual
DOM and if you want to apply the content, you can create the DOM
manually.. no need to use innerHTML. That's how CAJA works.

Greetz
-- Eduardo




On Thu, Feb 17, 2011 at 6:27 AM, gaz Heyes <gazheyes@gmail.com> wrote:
> On 17 February 2011 13:59, Giorgio Maone <g.maone@informaction.com> wrote:
>>
>> What am I missing? (sorry if I'm actually missing anything obvious, since
>> I'm late in this thread).
>> -- G
>
> Basically in every browser (including FF) single DOM CSS rules become
> multiple rules if you read the data back and assign it, innerHTML can
> rewrite the HTML when it's modified and thus create malicious data from
> perfectly fine valid data.
>
Received on Thursday, 17 February 2011 16:53:15 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 17 February 2011 16:53:16 GMT