XSS risk from iframe@doc?

Whenever we add a new syntax for executing script, there is some risk
that web sites with weak XSS filters will mistakenly let attackers
inject scripting using the new syntax.  For example, a web site might
let an attacker inject the following string:

<iframe doc="<script>alert(1)</script>">

The risk from this injection vector is mitigated because a
regexp-based XSS filter will likely block the @doc attribute from
containing HTML that executes script.  However, more advanced XSS
filters that understand how to parse HTML attributes might let that
string through.

There area couple of options for resolving this issue:

1) Always give documents created with @doc a unique origin.  This
approach is consistent with the use case of using this attribute for
untrusted content.

2) Change @doc from being an HTML attribute to being a DOM method.
This approach also makes it impossible for authors to screw up the
escaping.

Adam

Received on Sunday, 17 January 2010 19:42:18 UTC