W3C home > Mailing lists > Public > public-web-security@w3.org > June 2011

Re: CSP: setAttribute allows eval from string

From: gaz Heyes <gazheyes@gmail.com>
Date: Thu, 16 Jun 2011 15:56:31 +0100
Message-ID: <BANLkTikgc19=W07myZgoMt=qwpO7-5_AxA@mail.gmail.com>
To: sird@rckc.at
Cc: public-web-security@w3.org
On 16 June 2011 15:46, Eduardo Vela <sirdarckcat@gmail.com> wrote:

> Its by design.
>
> This also works with inline-scripts enabled:
>
> document.write("<script>alert(1)</script>")
>

That's slightly different though, you're writing HTML but in my previous
example it's clearly executing a string as JS but I take your point
Received on Thursday, 16 June 2011 14:57:01 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:19 UTC