W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: CSP XML Data with tokens

From: <sird@rckc.at>
Date: Fri, 28 Jan 2011 11:55:18 -0600
Message-ID: <AANLkTi=GjzafSf2njpJHZHNuV81HcMoyPnoqLyfR-J6o@mail.gmail.com>
To: gaz Heyes <gazheyes@gmail.com>
Cc: Adam Barth <w3c@adambarth.com>, Devdatta Akhawe <dev.akhawe@gmail.com>, Michal Zalewski <lcamtuf@coredump.cx>, Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org
Hey!

So, yes that's correct :P but you obviously html entify stuff inside
the attribute.

<iframe sandbox seamless srcdoc="<?php echo
strtr($user_input,Array("&"=>"&amp;","\""=>"&quot;","<"=>"&lt;",">"=>"&gt;"));
?>">


-- Eduardo




On Fri, Jan 28, 2011 at 11:16 AM, gaz Heyes <gazheyes@gmail.com> wrote:
> On 28 January 2011 16:56, sird@rckc.at <sird@rckc.at> wrote:
>>
>> Hi!
>>
>> The attribute "seamless" will do:
>>
>> 1. If you have b{color:blue} in the doc
>> 2. You have:
>> <iframe sandbox="allow-same-origin" seamless="seamless"
>> srcdoc="<b>xD</b>"></iframe>
>> 3. You get, a blue bold "xD".
>
> So it puts HTML content inside an attribute! How would it handle entities? I
> mean if an attribute is rendering as HTML then does &#39; become '? Who
> thought putting HTML in attributes was a good idea? Does that mean stuff
> like <a href=javascript&amp;#58;alert(1)>test</a> I like the idea of
> externally included sandboxed HTML but not inline.
>
Received on Friday, 28 January 2011 17:56:11 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 28 January 2011 17:56:12 GMT