Re: A perfect DOM sandbox

On 2/15/11 2:40 AM, wrote:
>      if(navigator.userAgent.match(/Firefox/))
>          ifr.setAttribute("src","/xss.php?csp&plain_text");

What's the point of that?

>      try {
>          ifr.contentDocument.documentElement.innerHTML=src;

Given that you immediately do this?

(Let's ignore for the moment that matching on "Firefox" is totally the 
wrong way to detect Gecko and minor details like that.)

> parseHTML("<img src=/ onload=alert(1)
> onerror=alert(1)><script>alert(1)</script><iframe
> src=javascript:alert(1)></iframe><b>hello</b>").getElementsByTagName("b")[0].innerHTML;
> parseHTML("<xD/>").getElementsByTagName("*")[0].innerHTML="<img src=/
> onload=alert(1) onerror=alert(1)><script>alert(1)</script><iframe
> src=javascript:alert(1)></iframe>";

The fact that these don't execute in Gecko just has to do with the 
window being torn down before the async load events fire.


Received on Tuesday, 15 February 2011 07:55:41 UTC