- From: <sird@rckc.at>
- Date: Wed, 16 Feb 2011 11:55:19 -0800
- To: Giorgio Maone <g.maone@informaction.com>
- Cc: Boris Zbarsky <bzbarsky@mit.edu>, gaz Heyes <gazheyes@gmail.com>, public-web-security@w3.org
Wow, nice.
If that's the case, then what gareth needs, and I've been trying to do
can be easily achieved on top of that I guess, I'll make some tests
I'm trying to think if there's anything else missing..
Greetz!
-- Eduardo
On Wed, Feb 16, 2011 at 3:30 AM, Giorgio Maone <g.maone@informaction.com> wrote:
> sird@rckc.at wrote, On 16/02/2011 5.24:
>>
>>> And one more thing. If you just want to have your HTML parsed in a
>>> context in which scripts won't execute, you can simply createDocument a
>>> document via the DOMImplementation and then set innerHTML in there...
>>
>> because that's an XML parser.
>> doc.childNodes[0].innerHTML="<img src=x onload=alert(1) onerror=alert(1)>"
>> NS_ERROR_DOM_SYNTAX_ERR on line 1: An invalid or illegal string was
>> specified
>
> Not necessarily.
>
> Try
>
> var doc = docImpl.createDocumentType("html", "", ""));
> var body = doc.createElement("body");
> body.innerHTML="<img src=x onload=alert(1) onerror=alert(1)>"
>
>
> NoScript uses tricks like these to take in account out fancy and forgiving
> HTML parsing in its XSS filter :)
>
> Cheers
> -- G
>
Received on Wednesday, 16 February 2011 19:56:13 UTC