Re: CSP: setAttribute allows eval from string from gaz Heyes on 2011-06-16 (public-web-security@w3.org from June 2011)

From: gaz Heyes <gazheyes@gmail.com>
Date: Thu, 16 Jun 2011 15:56:31 +0100
To: sird@rckc.at
Cc: public-web-security@w3.org
Message-ID: <BANLkTikgc19=W07myZgoMt=qwpO7-5_AxA@mail.gmail.com>

On 16 June 2011 15:46, Eduardo Vela <sirdarckcat@gmail.com> wrote:

> Its by design.
>
> This also works with inline-scripts enabled:
>
> document.write("<script>alert(1)</script>")
>

That's slightly different though, you're writing HTML but in my previous
example it's clearly executing a string as JS but I take your point

Received on Thursday, 16 June 2011 14:57:01 UTC