- From: <sird@rckc.at>
- Date: Tue, 15 Feb 2011 21:01:15 -0800
- To: Boris Zbarsky <bzbarsky@mit.edu>
- Cc: gaz Heyes <gazheyes@gmail.com>, public-web-security@w3.org
Oh, now that I remember Firefox also executes event handles on unappended nodes, so the parseHTML trick I used, doesn't work on Firefox 3.6 anyways.. but that code was made like in 10 minutes, and verified in browsers in like 5, so well.. I filed a bug about this a long time ago, and was marked as wontfix. Greetz -- Eduardo On Tue, Feb 15, 2011 at 8:43 PM, sird@rckc.at <sird@rckc.at> wrote: > For what is worth.. if browser provide a safe way of creating a DOM > like this.. one could simply traverse it and create a second fake DOM > later on on top of that, or emulate a SAX parser. > -- Eduardo > > > > > On Tue, Feb 15, 2011 at 8:24 PM, sird@rckc.at <sird@rckc.at> wrote: >>> What's the point of that? >> Oh actually the idea is that you only create one iframe and they just >> modify the innerHTML, so the CSP restrictions do apply. In this case >> the scripts don't load for other reasons, being.. that they don't have >> time to execute. I forgot that detail later on.. good for pointing >> that out ;) >> >>> And one more thing. If you just want to have your HTML parsed in a context in which scripts won't execute, you can simply createDocument a document via the DOMImplementation and then set innerHTML in there... >> because that's an XML parser. >> >> doc.childNodes[0].innerHTML="<img src=x onload=alert(1) onerror=alert(1)>" >> NS_ERROR_DOM_SYNTAX_ERR on line 1: An invalid or illegal string was specified >> >> Greetz!! >> >
Received on Wednesday, 16 February 2011 05:02:08 UTC