Re: XSS risk from iframe@doc?

On Sun, 17 Jan 2010, Maciej Stachowiak wrote:
> Adam did specify "weak XSS filters". Even though filters based on 
> blacklisting instead of whitelisting are poor design, I suspect a lot of 
> sites still use them and therefore we might make existing sites more 
> vulnerable.

Yes, but we do so every time we invent a new event handler (e.g. 
onhashchange), content embedding mechanism (e.g. <video>), styling 
mechanism (e.g. <style scoped>), element with special styling or parsing 
rules (e.g. <ruby>), feature affecting the rendering (e.g. hidden=""), 
attribute affecting the UI (e.g. <input required>), etc etc etc.

I mean, pretty much any new feature in HTML5 can be be a problem for an 
XSS filter with a matching weakness. If we start being worried about this, 
we are likely to end up frozen in fear, unable to invent anything.

Ian Hickson               U+1047E                )\._.,--....,'``.    fL       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Monday, 18 January 2010 05:56:31 UTC