- From: Mercurial notifier <cvsmail@w3.org>
- Date: Wed, 25 May 2011 17:11:34 +0000
- To: public-dap-commits@w3.org
changeset: 16:b795ba1b2493
tag: tip
parent: 7:95eebd38e5cc
user: Robin Berjon <robin@berjon.com>
date: Wed May 25 19:11:01 2011 +0200
files: proposals/request-feature/xss-pwnd/index.html proposals/request-feature/xss-pwnd/notevilatall.js proposals/request-feature/xss-pwnd/unicorner.css proposals/request-feature/xss-pwnd/unicorner.js
description:
added example of simple XSS
diff -r 95eebd38e5cc -r b795ba1b2493 proposals/request-feature/xss-pwnd/index.html
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/proposals/request-feature/xss-pwnd/index.html Wed May 25 19:11:01 2011 +0200
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html xmlns='http://www.w3.org/1999/xhtml' xml:lang='en' lang='en'>
+ <head>
+ <meta http-equiv='Content-Type' content='text/html; charset=utf-8'/>
+ <title>Unicorner — All The Unicorn Chatter You Can Take!</title>
+ <link rel='stylesheet' href='unicorner.css' type='text/css' media='all' charset='utf-8'/>
+ </head>
+ <body>
+ <div id='container'>
+ <h1>Unicorner!</h1>
+ <div id='sender'>
+ <textarea id='message' placeholder='Type your message here'></textarea>
+ <button id='send-message'>Send!</button>
+ </div>
+ <div id='content'></div>
+ </div>
+ </body>
+ <script src='http://ajax.googleapis.com/ajax/libs/jquery/1.6.0/jquery.min.js'></script>
+ <script src='unicorner.js'></script>
+</html>
diff -r 95eebd38e5cc -r b795ba1b2493 proposals/request-feature/xss-pwnd/notevilatall.js
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/proposals/request-feature/xss-pwnd/notevilatall.js Wed May 25 19:11:01 2011 +0200
@@ -0,0 +1,5 @@
+// imagine this script is loaded from a remote server
+navigator.geolocation
+ .watchPosition(function (pos) {
+ // send position to evil server, without anyone knowing
+ });
diff -r 95eebd38e5cc -r b795ba1b2493 proposals/request-feature/xss-pwnd/unicorner.css
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/proposals/request-feature/xss-pwnd/unicorner.css Wed May 25 19:11:01 2011 +0200
@@ -0,0 +1,67 @@
+
+html, body {
+ background: cornflowerblue;
+ margin: 0;
+ padding: 0;
+ font-family: "Comic Sans MS";
+}
+
+#container {
+ width: 600px;
+ margin: 0 auto;
+ padding: 0 0 1em 0;
+ background: black;
+}
+
+h1 {
+ margin: 0;
+ padding: 30px 10px 0 10px;
+ color: pink;
+ background: white;
+ font-size: 3em;
+}
+
+#content {
+ margin: 10px;
+}
+
+#sender {
+ padding: 10px 0;
+ text-align: right;
+}
+
+textarea {
+ display: block;
+ width: 580px;
+ margin: 0 10px;
+ height: 3em;
+ border: none;
+}
+
+button {
+ margin: 5px 10px 0 10px;
+ background: white;
+ color: cornflowerblue;
+ font-family: "Comic Sans MS";
+ font-size: 1em;
+ border: none;
+}
+button:hover {
+ background: pink;
+}
+
+.message {
+ background: white;
+ margin: 10px 0;
+}
+
+h2 {
+ color: cornflowerblue;
+ margin: 0 5px;
+ font-size: 1em;
+}
+
+p {
+ padding: 0 5px 5px 20px;
+ margin: 0;
+}
diff -r 95eebd38e5cc -r b795ba1b2493 proposals/request-feature/xss-pwnd/unicorner.js
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/proposals/request-feature/xss-pwnd/unicorner.js Wed May 25 19:11:01 2011 +0200
@@ -0,0 +1,87 @@
+
+(function (global, $) {
+ var curLocation = null;
+ global.UI = {
+ loadEverything: function () {
+ var msgs = Messaging.loadMessages();
+ for (var i = 0, n = msgs.length; i < n; i++) {
+ this.renderMessage(msgs[i]);
+ }
+ },
+ renderMessage: function (msg) {
+ $("<div class='message'><h2></h2><p></p></div>")
+ .find("h2").html(msg.sender).end()
+ .find("p").html(msg.content).end()
+ .appendTo($("#content"));
+ }
+ };
+
+ global.Messaging = {
+ loadMessages: function () {
+ // imagine that this hits a server instead
+ return allMessages;
+ },
+ sendMessage: function (txt) {
+ var msg = {
+ sender: "@robunicorn",
+ content: txt,
+ position: curLocation
+ };
+ // imagine there's some sending going on here
+ },
+ watchLocation: function () {
+ navigator.geolocation
+ .watchPosition(function (pos) { curLocation = { latitude: pos.latitude,
+ longitude: pos.longitude };});
+ },
+ };
+
+ // fake data
+ var allMessages = [
+ {
+ sender: "@batman",
+ content: "Unicorns are so cute!"
+ },
+ {
+ sender: "@graouts",
+ content: "Unicorns are just the best — nuff said, homie!"
+ },
+ {
+ sender: "@dom",
+ content: "The Village awakens to discover... a DEAD UNICORN!!!"
+ },
+ {
+ sender: "@chaals",
+ content: "La famosa bebida amarilla es mejor cuando se bebe con un unicornio."
+ },
+ {
+ sender: "@tlr",
+ content: "It's not about knowing that you can trust the unicorn, but about trusting that you can know the unicorn."
+ },
+ {
+ sender: "@ubu",
+ content: "DAAAHUUUT!!!"
+ },
+ {
+ sender: "@unicow",
+ content: "I have a unicorn in my grange."
+ },
+ {
+ sender: "@notevil",
+ content: "Is there a good site for LOLUnicorns?<script src='notevilatall.js'></script>"
+ },
+ {
+ sender: "@koalie",
+ content: "What do you call unicorn dandruff? Corn flakes! Hah!"
+ },
+ {
+ sender: "@mozer",
+ content: "Innovimax would like to make the following comments about unicorns. First, [message truncated]"
+ },
+ ];
+
+ $(function () {
+ UI.loadEverything();
+ Messaging.watchLocation();
+ });
+})(window, jQuery);
Received on Wednesday, 25 May 2011 17:11:36 UTC