W3C home > Mailing lists > Public > public-web-security@w3.org > November 2011

staticHTML support

From: gaz Heyes <gazheyes@gmail.com>
Date: Tue, 29 Nov 2011 09:33:22 +0000
Message-ID: <CADJi-imeJzzXzJrFXTC_1t6Ta1_byb2ANKwN9hM7nG-+7Fes9w@mail.gmail.com>
To: "public-web-security@w3.org" <public-web-security@w3.org>
Hi all

I decided to add staticHTML support in JavaScript. Hopefully this will be
supported by the various vendors and should be much more secure than my
version since you can have access to the DOM before it's rendered but for
now it works via the Element prototype. There were a couple of problems I'd
like to discuss, I couldn't find a way of allowing an element to be
positioned or alter it's dimensions without affecting elements around it.

For example if an evil user where to do
document.getElementById('x').staticHTML='<a href="//evilsite"
style="position:absolute;left:100px;top:100px;">I'm overlapping something I
shouldn't</a>'; then just via the property there isn't any way I could
figure to protect against it. Maybe you could have an staticHTML area which
would solve the problem by restricting all modifications to this area. Also
I guess styles are useless too since adding directly to the DOM won't allow
styles to be rendered, I could add a staticCssText option which could solve
the problem.

The other problem I had is that any element which has a class, id or name
must be modified to make it safe from affecting the rest of the page, you
wouldn't want a evil user to assign or modify an existing css class for
example. The only way round this I could see was to prefix the staticHTML
with a staticHTML appid to prevent it from being able to modify outside of
it's zone. Anyway I hope you support it :D

Blog post here:

Demo here:


Received on Tuesday, 29 November 2011 09:33:51 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:09:28 UTC