Re: CSP XML Data with tokens from gaz Heyes on 2011-01-27 (public-web-security@w3.org from January 2011)

From: gaz Heyes <gazheyes@gmail.com>
Date: Thu, 27 Jan 2011 23:15:44 +0000
To: Michal Zalewski <lcamtuf@coredump.cx>
Cc: Devdatta Akhawe <dev.akhawe@gmail.com>, Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org
Message-ID: <AANLkTi=Q6vjUQuiAJitHHhSjonVLPRBzpmv4DkgMjx23@mail.gmail.com>

> <span security=XXXX>
>
> user_content_which_should_behave_like_cdata_and_not_have_html_tags_interpreted_so_that_xss_here_is_not_possible
> </span security=XXXX>
>
>
Ah but my point is before HTML is rendered the start and end markers should
be parsed first. CDATA doesn't matter.


> Perhaps a more compatible approach would be:
>
> <securityXXXX> // With secret token in tag name
>  user_content_here
> </securityXXXX>
>
> ...but it's also unlikely to fly with purists.
>

I prefer this maybe with some extra characters that aren't likely to be
used:-
 <__securityXXXX__> // With secret token in tag name
 user_content_here
</__securityXXXX__>

Received on Thursday, 27 January 2011 23:16:17 UTC