Re: A perfect DOM sandbox

> What's the point of that?
Oh actually the idea is that you only create one iframe and they just
modify the innerHTML, so the CSP restrictions do apply. In this case
the scripts don't load for other reasons, being.. that they don't have
time to execute. I forgot that detail later on.. good for pointing
that out ;)

> And one more thing.  If you just want to have your HTML parsed in a context in which scripts won't execute, you can simply createDocument a document via the DOMImplementation and then set innerHTML in there...
because that's an XML parser.

doc.childNodes[0].innerHTML="<img src=x onload=alert(1) onerror=alert(1)>"
NS_ERROR_DOM_SYNTAX_ERR on line 1: An invalid or illegal string was specified


Received on Wednesday, 16 February 2011 04:25:03 UTC