RE: XSS mitigation in browsers

> -----Original Message-----
> From: public-web-security-request@w3.org [mailto:public-web-security-
> request@w3.org] On Behalf Of Michal Zalewski
> 
> Specifically, consider that within any medium-complexity domain
> (mozilla.com, google.com, facebook.com), you can almost certainly discover
> a location that returns HTML-escaped attacker-supplied text in a context that
> would parse as valid JavaScript. This is easier than expected particularly in
> browsers that support E4X - such as Firefox.
> If I have a 404 HTML page saying:

Not to nitpick on this bug too much, but regardless of the underlying parsing issue, shouldn't the browser refuse to load this resource when it gets returned with a 404 error code?

At least we'd exclude the one corner case then, right?

- Andy

Received on Monday, 24 January 2011 17:58:24 UTC