W3C home > Mailing lists > Public > whatwg@whatwg.org > August 2010

[whatwg] idea about html code security anti xss

From: Ian Hickson <ian@hixie.ch>
Date: Mon, 9 Aug 2010 22:36:59 +0000 (UTC)
Message-ID: <Pine.LNX.4.64.1008092236190.13322@ps20323.dreamhostps.com>
On Wed, 16 Jun 2010, gabmeyer at westweb.at wrote:
> 
> I had just this idea after reading so much about xss and code injection.
> 
> I think there is a simple solution:
> 
> 1.)
> I now invent an attribute called strlen=""
> 
> I append this to a <div strlen="94843">htmlcode with strlen of 94843 bytes including whitespace</div>
> 
> The browser know knows the exact position where the divtag must end.
> 
> You cannot inject some code that closes the tag before.
> 
> 2.) 
> you can now control the code inside the div.
> you can also append a second attribute called "secure" that prevents any scriptcode to run from inside the div.

On Wed, 16 Jun 2010, Anne van Kesteren wrote:
>
> We considered something like this before, but it was thought to be too 
> complicated and not backwards compatible enough. In the current draft 
> you will find <iframe srcdoc=...></iframe> which does what you propose 
> with the relatively small change that the sandboxed code is inside an 
> attribute rather than an element. For fallback the src attribute can be 
> used.

Indeed.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Monday, 9 August 2010 15:36:59 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:08:59 UTC