W3C home > Mailing lists > Public > whatwg@whatwg.org > December 2009

[whatwg] updateWithSanitizedHTML (was Re: innerStaticHTML)

From: Kornel Lesiński <kornel@geekhood.net>
Date: Tue, 1 Dec 2009 10:38:57 +0000
Message-ID: <BA03DC53-1DA2-460D-ADA3-BD0116735889@geekhood.net>
> The WebKit community is considering taking up such an experimental
> implementation.  Here's my current proposal for how this might work:
>
> http://docs.google.com/Doc?docid=0AZpchfQ5mBrEZGQ0cDh3YzRfMTJzbTY1cWJrNA&hl=en
>
> I would appreciate any feedback on the design.

Whitelist requires developers to know about potential risks of each  
element/property, and that's not obvious to everyone: e.g. one might  
want to allow object/embed (for harmless YouTube videos) without  
realizing that it enables XSS.

It's also non-obvious that style attribute is XSS risk (via behavior  
property). Higher-level filtering option could allow style attribute,  
and only filter out that property. Current proposal would need another  
whitelist for CSS properties.

And even whitelist for CSS properties couldn't be used to implement  
"No external access" policy (allow images with data: urls, allow http:  
links, but not http: images). This would be useful for webmails and  
other places where website doesn't want to allow 3rd parties tracking  
views.

"No clickjacking" option might be useful as well.

-- 
regards, Kornel Lesi?ski
Received on Tuesday, 1 December 2009 02:38:57 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:08:54 UTC