W3C home > Mailing lists > Public > public-web-security@w3.org > June 2011

Re: CSP: setAttribute allows eval from string

From: Jarred Nicholls <jarred@sencha.com>
Date: Thu, 16 Jun 2011 13:55:55 -0400
Message-ID: <BANLkTimz23aC-9EnQ0qEvLE3bAL-6phEsQ@mail.gmail.com>
To: gaz Heyes <gazheyes@gmail.com>
Cc: sird@rckc.at, public-web-security@w3.org
On Thu, Jun 16, 2011 at 10:56 AM, gaz Heyes <gazheyes@gmail.com> wrote:

> On 16 June 2011 15:46, Eduardo Vela <sirdarckcat@gmail.com> wrote:
>
>> Its by design.
>>
>> This also works with inline-scripts enabled:
>>
>> document.write("<script>alert(1)</script>")
>>
>
> That's slightly different though, you're writing HTML but in my previous
> example it's clearly executing a string as JS but I take your point
>

I'm not following, why would there be a difference in treatment between DOM
access and the parser?

-- 
................................................................

*Sencha*
Jarred Nicholls, Senior Software Architect
@jarrednicholls
 <http://twitter.com/jarrednicholls>
Received on Thursday, 16 June 2011 17:56:43 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:19 UTC