- From: <sird@rckc.at>
- Date: Fri, 25 Feb 2011 19:11:53 -0800
- To: Daniel Veditz <dveditz@mozilla.com>
- Cc: Brandon Sterne <bsterne@mozilla.com>, Lucas Adamski <lucas@mozilla.com>, Devdatta Akhawe <dev.akhawe@gmail.com>, public-web-security@w3.org
And.. the advantage of using JSON is that you get serialization. I mean, you can still get things wrong, but at least it's not as bad as if we allowed arbitrary code. Aaaanyways. -- Eduardo On Fri, Feb 25, 2011 at 4:45 PM, Daniel Veditz <dveditz@mozilla.com> wrote: > On 2/25/11 3:34 PM, Brandon Sterne wrote: >> I believe this pattern violates the HTML 5 standard for the script element: >> http://www.whatwg.org/specs/web-apps/current-work/multipage/scripting-1.html#script > > Well, I suppose technically it's a violation, but browsers have to > cope with all kinds of invalid pages out there. Maybe if the spec > said there must be no element content whatsoever browsers could > ignore it, but because "script documentation" is valid that content > actually exists in the DOM. The browser correctly ignores the > element content in terms of executing anything, but the trick would > work. > >> On 2/25/11 1:43 PM, Lucas Adamski wrote: >>> Hmm, that's interesting... might this not become a dangerous pattern in itself? > > Sure -- the whole thread is predicated on wanting to splat > user-specific content into the document and then do something with > it in script. No matter where they put it there's a risk of XSS if > the content is not sanitized appropriately for the context. > > -Dan Veditz > >
Received on Saturday, 26 February 2011 03:12:46 UTC