W3C home > Mailing lists > Public > public-html-diffs@w3.org > December 2011

hixie: Mention some XSS risks explicitly. (whatwg r6875)

From: poot <cvsmail@w3.org>
Date: Thu, 15 Dec 2011 19:33:00 -0500
To: public-html-diffs@w3.org
Message-Id: <E1RbLjQ-0005R1-3J@jay.w3.org>
hixie: Mention some XSS risks explicitly. (whatwg r6875)


RCS file: /sources/public/html5/spec/Overview.html,v
retrieving revision 1.5474
retrieving revision 1.5475
diff -u -d -r1.5474 -r1.5475
--- Overview.html	15 Dec 2011 00:44:25 -0000	1.5474
+++ Overview.html	16 Dec 2011 00:32:40 -0000	1.5475
@@ -320,7 +320,7 @@
    <h2 class="no-num no-toc" id="a-vocabulary-and-associated-apis-for-html-and-xhtml">A vocabulary and associated APIs for HTML and XHTML</h2>
-   <h2 class="no-num no-toc" id="editor-s-draft-15-december-2011">Editor's Draft 15 December 2011</h2>
+   <h2 class="no-num no-toc" id="editor-s-draft-16-december-2011">Editor's Draft 16 December 2011</h2>
    <dl><dt>Latest Published Version:</dt>
     <dd><a href="http://www.w3.org/TR/html5/">http://www.w3.org/TR/html5/</a></dd>
     <dt>Latest Editor's Draft:</dt>
@@ -467,7 +467,7 @@
   Group</a> is the W3C working group responsible for this
   specification's progress along the W3C Recommendation
-  This specification is the 15 December 2011 Editor's Draft.
+  This specification is the 16 December 2011 Editor's Draft.
   </p><!-- UNDER NO CIRCUMSTANCES IS THE PRECEDING PARAGRAPH TO BE REMOVED OR EDITED WITHOUT TALKING TO IAN FIRST --><p>Work on this specification is also done at the <a href="http://www.whatwg.org/">WHATWG</a>. The W3C HTML working group
   actively pursues convergence with the WHATWG, as required by the <a href="http://www.w3.org/2007/03/HTML-WG-charter">W3C HTML working
   group charter</a>.</p><!-- UNDER NO CIRCUMSTANCES IS THE FOLLOWING PARAGRAPH TO BE REMOVED OR EDITED WITHOUT TALKING TO IAN FIRST --><p>This document was produced by a group operating under the <a href="http://www.w3.org/Consortium/Patent-Policy-20040205/">5
@@ -1789,7 +1789,27 @@
-   </dd>
+    <p>There are many constructs that can be used to try to trick a
+    site into executing code. Here are some that authors are
+    encouraged to consider when writing whitelist filters:</p>
+    <ul><li>When allowing harmless-seeming elements like
+     <code><a href="#the-img-element">img</a></code>, it is important to whitelist any provided
+     attributes as well. If one allowed all attributes then an
+     attacker could, for instance, use the <code title="handler-onload"><a href="#handler-onload">onload</a></code> attribute to run arbitrary
+     script.</li>
+     <li>When allowing URLs to be provided (e.g. for links), the
+     scheme of each URL also needs to be explicitly whitelisted, as
+     there are many schemes that can be abused. The most prominent
+     example is "<code agents="" but="" can="" have="" historically="" implement="" implemented="" indeed="" others="" title="javascript:</code>" user=""> 
+     <li>Allowing a <code><a href="#the-base-element">base</a></code> element to be inserted means any
+     <code><a href="#the-script-element">script</a></code> elements in the page with relative links can
+     be hijacked, and similarly that any form submissions can get
+     redirected to a hostile site.</li>
+    </code></ul></dd>
    <dt>Cross-site request forgery (CSRF)</dt>
Received on Friday, 16 December 2011 00:33:01 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 20:09:20 UTC