Re: A perfect DOM sandbox from Giorgio Maone on 2011-02-16 (public-web-security@w3.org from February 2011)

From: Giorgio Maone <g.maone@informaction.com>
Date: Wed, 16 Feb 2011 23:40:12 +0100
To: gaz Heyes <gazheyes@gmail.com>
CC: "sird@rckc.at" <sird@rckc.at>, Boris Zbarsky <bzbarsky@mit.edu>, public-web-security@w3.org
Message-ID: <4D5C524C.5090205@informaction.com>

gaz Heyes wrote, On 16/02/2011 21.49:
>
> I think the createElement bit is broken in firefox, when you assigned to 
> innerHTML it executes without assigning the doc to the dom.
Damn copy & paste, I messed almost everything :)

This one works on Firefox 4 and Chrome:

var impl = document.implementation;
var doc = impl.createHTMLDocument("");
var body = doc.createElement("body");
body.innerHTML = "<img src=x onload=alert(1) onerror=alert(1)>";
alert(body.innerHTML);


This one is slightly more complex but works on Fx 3.6 as well 
(createHTMLDocument has been introduced in Gecko 2.0):

var impl = document.implementation;
var doc = impl.createDocument(
       "http://www.w3.org/1999/xhtml", "html", impl.createDocumentType(
         "html", "-//W3C//DTD HTML 4.01 Transitional//EN", "http://www.w3.org/TR/html4/loose.dtd"
       ));
var body = doc.createElement("body");
body.innerHTML = "<img src=x onload=alert(1) onerror=alert(1)>";
alert(body.innerHTML);


Cheers
-- G

Received on Wednesday, 16 February 2011 22:41:05 UTC