W3C home > Mailing lists > Public > public-web-security@w3.org > November 2011

Re: staticHTML support

From: <sird@rckc.at>
Date: Tue, 29 Nov 2011 19:29:31 -0800
Message-ID: <CACSvzRxGWB1H0svPy7pQvhWKL8XKz5-QkfD74fpK8+J7pVuceg@mail.gmail.com>
To: gaz Heyes <gazheyes@gmail.com>
Cc: "public-web-security@w3.org" <public-web-security@w3.org>
You could use iframe@sandbox(allow-same-origin) + seamless to make it
secure I think?

-- Eduardo



On Tue, Nov 29, 2011 at 1:33 AM, gaz Heyes <gazheyes@gmail.com> wrote:

> Hi all
>
> I decided to add staticHTML support in JavaScript. Hopefully this will be
> supported by the various vendors and should be much more secure than my
> version since you can have access to the DOM before it's rendered but for
> now it works via the Element prototype. There were a couple of problems I'd
> like to discuss, I couldn't find a way of allowing an element to be
> positioned or alter it's dimensions without affecting elements around it.
>
> For example if an evil user where to do
> document.getElementById('x').staticHTML='<a href="//evilsite"
> style="position:absolute;left:100px;top:100px;">I'm overlapping something I
> shouldn't</a>'; then just via the property there isn't any way I could
> figure to protect against it. Maybe you could have an staticHTML area which
> would solve the problem by restricting all modifications to this area. Also
> I guess styles are useless too since adding directly to the DOM won't allow
> styles to be rendered, I could add a staticCssText option which could solve
> the problem.
>
> The other problem I had is that any element which has a class, id or name
> must be modified to make it safe from affecting the rest of the page, you
> wouldn't want a evil user to assign or modify an existing css class for
> example. The only way round this I could see was to prefix the staticHTML
> with a staticHTML appid to prevent it from being able to modify outside of
> it's zone. Anyway I hope you support it :D
>
> Blog post here:
> http://www.thespanner.co.uk/2011/11/29/statichtml-property/
>
> Demo here:
> http://www.businessinfo.co.uk/labs/staticHTML/staticHTML.html
>
> Cheers
>
> Gareth
>
Received on Wednesday, 30 November 2011 03:30:19 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 November 2011 03:30:19 GMT