- From: Giorgio Maone <g.maone@informaction.com>
- Date: Wed, 16 Feb 2011 12:30:37 +0100
- To: "sird@rckc.at" <sird@rckc.at>
- CC: Boris Zbarsky <bzbarsky@mit.edu>, gaz Heyes <gazheyes@gmail.com>, public-web-security@w3.org
sird@rckc.at wrote, On 16/02/2011 5.24:
>
>> And one more thing. If you just want to have your HTML parsed in a context in which scripts won't execute, you can simply createDocument a document via the DOMImplementation and then set innerHTML in there...
> because that's an XML parser.
> doc.childNodes[0].innerHTML="<img src=x onload=alert(1) onerror=alert(1)>"
> NS_ERROR_DOM_SYNTAX_ERR on line 1: An invalid or illegal string was specified
Not necessarily.
Try
var doc = docImpl.createDocumentType("html", "", ""));
var body = doc.createElement("body");
body.innerHTML="<img src=x onload=alert(1) onerror=alert(1)>"
NoScript uses tricks like these to take in account out fancy and forgiving
HTML parsing in its XSS filter :)
Cheers
-- G
Received on Wednesday, 16 February 2011 11:32:41 UTC