W3C home > Mailing lists > Public > public-html-bugzilla@w3.org > April 2011

[Bug 12469] Dynamic Cross-Site Scripting and Page Repainting

From: <bugzilla@jessica.w3.org>
Date: Mon, 11 Apr 2011 22:15:32 +0000
To: public-html-bugzilla@w3.org
Message-Id: <E1Q9POO-0007OI-VG@jessica.w3.org>
http://www.w3.org/Bugs/Public/show_bug.cgi?id=12469

Aryeh Gregor <Simetrical+w3cbug@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |Simetrical+w3cbug@gmail.com

--- Comment #3 from Aryeh Gregor <Simetrical+w3cbug@gmail.com> 2011-04-11 22:15:32 UTC ---
I don't get it.  What makes this any worse than any XSS attack?  What does the
attacker gain by using postMessage() to get the injected code instead of just
including it directly in the exploit?

(Also, there's already a <plaintext> element in HTML, which does something
different from this.  <xmp> does something like what you say, but attackers
could just add </xmp> to avoid it.  You need to actually escape the content
somehow, using htmlspecialchars() or your language's equivalent.)

-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
Received on Monday, 11 April 2011 22:15:36 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 16:31:08 UTC