- From: Ian Hickson <ian@hixie.ch>
- Date: Sun, 6 Dec 2009 09:21:42 +0000 (UTC)
- To: Adam Barth <w3c@adambarth.com>
- Cc: Maciej Stachowiak <mjs@apple.com>, sird@rckc.at, public-web-security@w3.org
On Sat, 5 Dec 2009, Adam Barth wrote: > > I think you're missing the main attack that sird's worried about: > > Assumptions: > > 1) The attacker can injection content into the target web site, but > cannot injection script. If you grant the assumption that the page has a faulty filter, IMHO it becomes easy to have all kinds of vulnerabilities. That filters should make sure the user can't insert arbitrary CSS is not new. Selectors and expressions get more and more expressive with each year, but they pale in comparison to the kind of deep analysis you can do to a page using XSLT and XPath, for example. This is why filters should always whitelist only features they consider safe. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Sunday, 6 December 2009 09:22:13 UTC