Re: XSS risk from iframe@doc?

On Jan 17, 2010, at 11:41 AM, Adam Barth wrote:

> Whenever we add a new syntax for executing script, there is some risk
> that web sites with weak XSS filters will mistakenly let attackers
> inject scripting using the new syntax.  For example, a web site might
> let an attacker inject the following string:
> 
> <iframe doc="<script>alert(1)</script>">
> 
> The risk from this injection vector is mitigated because a
> regexp-based XSS filter will likely block the @doc attribute from
> containing HTML that executes script.  However, more advanced XSS
> filters that understand how to parse HTML attributes might let that
> string through.
> 
> There area couple of options for resolving this issue:
> 
> 1) Always give documents created with @doc a unique origin.  This
> approach is consistent with the use case of using this attribute for
> untrusted content.
> 
> 2) Change @doc from being an HTML attribute to being a DOM method.
> This approach also makes it impossible for authors to screw up the
> escaping.

Two other possibilies:

3) The presense of doc implies sandboxing.
4) doc doesn't work unless sandbox is also specified

However, these might be vulnerable to sandbox="allow-script allow-same-origin" being injected along with the doc attribute.

Regards,
Maciej

Received on Sunday, 17 January 2010 23:22:52 UTC