- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Fri, 25 Feb 2011 16:45:26 -0800
- To: Brandon Sterne <bsterne@mozilla.com>
- CC: Lucas Adamski <lucas@mozilla.com>, sird@rckc.at, Devdatta Akhawe <dev.akhawe@gmail.com>, public-web-security@w3.org
On 2/25/11 3:34 PM, Brandon Sterne wrote: > I believe this pattern violates the HTML 5 standard for the script element: > http://www.whatwg.org/specs/web-apps/current-work/multipage/scripting-1.html#script Well, I suppose technically it's a violation, but browsers have to cope with all kinds of invalid pages out there. Maybe if the spec said there must be no element content whatsoever browsers could ignore it, but because "script documentation" is valid that content actually exists in the DOM. The browser correctly ignores the element content in terms of executing anything, but the trick would work. > On 2/25/11 1:43 PM, Lucas Adamski wrote: >> Hmm, that's interesting... might this not become a dangerous pattern in itself? Sure -- the whole thread is predicated on wanting to splat user-specific content into the document and then do something with it in script. No matter where they put it there's a risk of XSS if the content is not sanitized appropriately for the context. -Dan Veditz
Received on Saturday, 26 February 2011 00:46:22 UTC