W3C home > Mailing lists > Public > public-web-security@w3.org > June 2011

Re: CSP: setAttribute allows eval from string

From: Eduardo Vela <sirdarckcat@gmail.com>
Date: Thu, 16 Jun 2011 09:46:01 -0500
Message-ID: <BANLkTiktJS7xUMXfYRgW93vYqxZDuP-daA@mail.gmail.com>
To: gaz Heyes <gazheyes@gmail.com>
Cc: public-web-security@w3.org
Its by design.

This also works with inline-scripts enabled:

document.write("<script>alert(1)</script>")
On Jun 16, 2011 6:03 AM, "gaz Heyes" <gazheyes@gmail.com> wrote:
> Hey all
>
> CSP needs to account for event handlers when used with setAttribute as it
> allows strings to be eval'd
>
> <?php
> session_start();
> header("X-Content-Security-Policy: allow 'self'; options inline-script");
> ?>
> <script>
> window.onload=function() {
> document.links[0].setAttribute('onclick','alert(1)');
> }
> </script>
>
> <a href="#">test</a>
>
> Cheers
>
> Gareth
Received on Thursday, 16 June 2011 14:46:36 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:19 UTC