Re: A perfect DOM sandbox

Oh, now that I remember Firefox also executes event handles on
unappended nodes, so the parseHTML trick I used, doesn't work on
Firefox 3.6 anyways.. but that code was made like in 10 minutes, and
verified in browsers in like 5, so well..

I filed a bug about this a long time ago, and was marked as wontfix.

-- Eduardo

On Tue, Feb 15, 2011 at 8:43 PM, <> wrote:
> For what is worth.. if browser provide a safe way of creating a DOM
> like this.. one could simply traverse it and create a second fake DOM
> later on on top of that, or emulate a SAX parser.
> -- Eduardo
> On Tue, Feb 15, 2011 at 8:24 PM, <> wrote:
>>> What's the point of that?
>> Oh actually the idea is that you only create one iframe and they just
>> modify the innerHTML, so the CSP restrictions do apply. In this case
>> the scripts don't load for other reasons, being.. that they don't have
>> time to execute. I forgot that detail later on.. good for pointing
>> that out ;)
>>> And one more thing.  If you just want to have your HTML parsed in a context in which scripts won't execute, you can simply createDocument a document via the DOMImplementation and then set innerHTML in there...
>> because that's an XML parser.
>> doc.childNodes[0].innerHTML="<img src=x onload=alert(1) onerror=alert(1)>"
>> NS_ERROR_DOM_SYNTAX_ERR on line 1: An invalid or illegal string was specified
>> Greetz!!

Received on Wednesday, 16 February 2011 05:02:08 UTC