Ian Hickson wrote: > On Sun, 17 Jan 2010, Adam Barth wrote: >> Whenever we add a new syntax for executing script, there is some risk >> that web sites with weak XSS filters will mistakenly let attackers >> inject scripting using the new syntax. For example, a web site might >> let an attacker inject the following string: >> >> <iframe doc="<script>alert(1)</script>"> >> >> [...] > > doc="" is only meant to be used with sandbox="". I can just make it not do > anything at all if sandbox="" isn't specified, if that helps. An XSS filter that lets the user give a doc attribute will let the user give a sandbox attribute too, i.e. they can write <iframe doc="<script>alert(1)</script>" sandbox="allow-scripts"> So as far as I can see, making it do nothing when there's no sandbox attribute doesn't help. -- Philip Taylor pjt47@cam.ac.ukReceived on Sunday, 17 January 2010 20:58:11 UTC
This archive was generated by hypermail 2.4.0 : Saturday, 9 October 2021 18:45:07 UTC