- From: Ian Hickson <ian@hixie.ch>
- Date: Sun, 17 Jan 2010 20:34:29 +0000 (UTC)
- To: Adam Barth <w3c@adambarth.com>
- Cc: HTML WG <public-html@w3.org>
On Sun, 17 Jan 2010, Adam Barth wrote: > > Whenever we add a new syntax for executing script, there is some risk > that web sites with weak XSS filters will mistakenly let attackers > inject scripting using the new syntax. For example, a web site might > let an attacker inject the following string: > > <iframe doc="<script>alert(1)</script>"> > > The risk from this injection vector is mitigated because a regexp-based > XSS filter will likely block the @doc attribute from containing HTML > that executes script. However, more advanced XSS filters that > understand how to parse HTML attributes might let that string through. > > There area couple of options for resolving this issue: > > 1) Always give documents created with @doc a unique origin. This > approach is consistent with the use case of using this attribute for > untrusted content. > > 2) Change @doc from being an HTML attribute to being a DOM method. This > approach also makes it impossible for authors to screw up the escaping. doc="" is only meant to be used with sandbox="". I can just make it not do anything at all if sandbox="" isn't specified, if that helps. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Sunday, 17 January 2010 20:34:59 UTC