W3C home > Mailing lists > Public > public-web-security@w3.org > June 2011

CSP: setAttribute allows eval from string

From: gaz Heyes <gazheyes@gmail.com>
Date: Thu, 16 Jun 2011 12:02:04 +0100
Message-ID: <BANLkTim8SFPFUD0LufQTBnsLoMz6jp+fsw@mail.gmail.com>
To: public-web-security@w3.org
Hey all

CSP needs to account for event handlers when used with setAttribute as it
allows strings to be eval'd

<?php
session_start();
header("X-Content-Security-Policy: allow 'self'; options inline-script");
?>
<script>
window.onload=function() {
    document.links[0].setAttribute('onclick','alert(1)');
}
</script>

<a href="#">test</a>

Cheers

Gareth
Received on Thursday, 16 June 2011 11:02:31 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:19 UTC