- From: Gareth Heyes <gazheyes@gmail.com>
- Date: Sat, 29 Jan 2011 21:26:42 +0000
- To: "sird@rckc.at" <sird@rckc.at>
- Cc: Adam Barth <w3c@adambarth.com>, Devdatta Akhawe <dev.akhawe@gmail.com>, Michal Zalewski <lcamtuf@coredump.cx>, Brandon Sterne <bsterne@mozilla.com>, "public-web-security@w3.org" <public-web-security@w3.org>
Well have we not learnt anything, srcdoc takes over src and includes a unlimited amount of encoded html that renders, I can see why a lot of people thought it was a bad idea.
I remember your attribute reader point but I didnt realize that attributes could be used for html.
Sent from my secret lair
On 29 Jan 2011, at 20:28, "sird@rckc.at" <sird@rckc.at> wrote:
> If there's srcdoc and src, then srcdoc takes precedence.
>
> I do agree seamless iframes are kinda shady, and, for example, are
> useful for CSS attribute reading, but well.. there was a thread about
> this before.
>
> Greetings
> -- Eduardo
>
>
>
>
> On Sat, Jan 29, 2011 at 3:18 AM, gaz Heyes <gazheyes@gmail.com> wrote:
>> Haha this is hilarious if seamless iframes are allowed in seamless iframes
>> we have a HTML inception vector :D
>>
>> <iframe sandbox=allow-same-origin seamless=seamless
>> srcdoc="<iframe sandbox=allow-same-origin seamless=seamless srcdoc='&#60;&#105;&#102;&#114;&#97;&#109;&#101;&#32;&#115;&#97;&#110;&#100;&#98;&#111;&#120;&#61;&#97;&#108;&#108;&#111;&#119;&#45;&#115;&#97;&#109;&#101;&#45;&#111;&#114;&#105;&#103;&#105;&#110;&#32;&#115;&#101;&#97;&#109;&#108;&#101;&#115;&#115;&#61;&#115;&#101;&#97;&#109;&#108;&#101;&#115;&#115;&#32;&#115;&#114;&#99;&#100;&#111;&#99;&#61;&#84;&#105;&#109;&#101;&#95;&#105;&#115;&#95;&#115;&#108;&#111;&#119;&#101;&#114;&#95;&#104;&#101;&#114;&#101;&#62;&#60;&#47;&#105;&#102;&#114;&#97;&#109;&#101;&#62;'></iframe>"></iframe>
>>
>> What would be interesting is what happens when there's src and srcdoc,
>> because if we find an injection in src attribute we can inject this.
>>
>> On 28 January 2011 17:55, sird@rckc.at <sird@rckc.at> wrote:
>>>
>>> Hey!
>>>
>>> So, yes that's correct :P but you obviously html entify stuff inside
>>> the attribute.
>>>
>>> <iframe sandbox seamless srcdoc="<?php echo
>>>
>>> strtr($user_input,Array("&"=>"&","\""=>""","<"=>"<",">"=>">"));
>>> ?>">
>>>
>>>
>>> -- Eduardo
>>>
>>>
>>>
>>>
>>> On Fri, Jan 28, 2011 at 11:16 AM, gaz Heyes <gazheyes@gmail.com> wrote:
>>>> On 28 January 2011 16:56, sird@rckc.at <sird@rckc.at> wrote:
>>>>>
>>>>> Hi!
>>>>>
>>>>> The attribute "seamless" will do:
>>>>>
>>>>> 1. If you have b{color:blue} in the doc
>>>>> 2. You have:
>>>>> <iframe sandbox="allow-same-origin" seamless="seamless"
>>>>> srcdoc="<b>xD</b>"></iframe>
>>>>> 3. You get, a blue bold "xD".
>>>>
>>>> So it puts HTML content inside an attribute! How would it handle
>>>> entities? I
>>>> mean if an attribute is rendering as HTML then does ' become '? Who
>>>> thought putting HTML in attributes was a good idea? Does that mean stuff
>>>> like <a href=javascript&#58;alert(1)>test</a> I like the idea of
>>>> externally included sandboxed HTML but not inline.
>>>>
>>
>>
Received on Saturday, 29 January 2011 21:28:12 UTC