On Jan 17, 2010, at 11:41 AM, Adam Barth wrote: > Whenever we add a new syntax for executing script, there is some risk > that web sites with weak XSS filters will mistakenly let attackers > inject scripting using the new syntax. For example, a web site might > let an attacker inject the following string: > > <iframe doc="<script>alert(1)</script>"> > > The risk from this injection vector is mitigated because a > regexp-based XSS filter will likely block the @doc attribute from > containing HTML that executes script. However, more advanced XSS > filters that understand how to parse HTML attributes might let that > string through. > > There area couple of options for resolving this issue: > > 1) Always give documents created with @doc a unique origin. This > approach is consistent with the use case of using this attribute for > untrusted content. > > 2) Change @doc from being an HTML attribute to being a DOM method. > This approach also makes it impossible for authors to screw up the > escaping. Two other possibilies: 3) The presense of doc implies sandboxing. 4) doc doesn't work unless sandbox is also specified However, these might be vulnerable to sandbox="allow-script allow-same-origin" being injected along with the doc attribute. Regards, MaciejReceived on Sunday, 17 January 2010 23:22:52 UTC
This archive was generated by hypermail 2.4.0 : Saturday, 9 October 2021 18:45:07 UTC