[Bug 12469] Dynamic Cross-Site Scripting and Page Repainting from bugzilla@jessica.w3.org on 2011-04-11 (public-html-bugzilla@w3.org from April 2011)

From: <bugzilla@jessica.w3.org>
Date: Mon, 11 Apr 2011 22:15:32 +0000
To: public-html-bugzilla@w3.org
Message-Id: <E1Q9POO-0007OI-VG@jessica.w3.org>

http://www.w3.org/Bugs/Public/show_bug.cgi?id=12469

Aryeh Gregor <Simetrical+w3cbug@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |Simetrical+w3cbug@gmail.com

--- Comment #3 from Aryeh Gregor <Simetrical+w3cbug@gmail.com> 2011-04-11 22:15:32 UTC ---
I don't get it.  What makes this any worse than any XSS attack?  What does the
attacker gain by using postMessage() to get the injected code instead of just
including it directly in the exploit?

(Also, there's already a <plaintext> element in HTML, which does something
different from this.  <xmp> does something like what you say, but attackers
could just add </xmp> to avoid it.  You need to actually escape the content
somehow, using htmlspecialchars() or your language's equivalent.)

-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.

Received on Monday, 11 April 2011 22:15:36 UTC