Re: XSS risk from iframe@doc?

On Sun, 17 Jan 2010, Adam Barth wrote:
>
> Whenever we add a new syntax for executing script, there is some risk 
> that web sites with weak XSS filters will mistakenly let attackers 
> inject scripting using the new syntax.  For example, a web site might 
> let an attacker inject the following string:
> 
> <iframe doc="<script>alert(1)</script>">
> 
> The risk from this injection vector is mitigated because a regexp-based 
> XSS filter will likely block the @doc attribute from containing HTML 
> that executes script.  However, more advanced XSS filters that 
> understand how to parse HTML attributes might let that string through.
> 
> There area couple of options for resolving this issue:
> 
> 1) Always give documents created with @doc a unique origin.  This 
> approach is consistent with the use case of using this attribute for 
> untrusted content.
> 
> 2) Change @doc from being an HTML attribute to being a DOM method. This 
> approach also makes it impossible for authors to screw up the escaping.

doc="" is only meant to be used with sandbox="". I can just make it not do 
anything at all if sandbox="" isn't specified, if that helps.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Sunday, 17 January 2010 20:34:59 UTC