- From: Gervase Markham <gerv@mozilla.org>
- Date: Fri, 28 Jan 2011 11:18:00 +0000
- To: gaz Heyes <gazheyes@gmail.com>
- CC: Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org
On 28/01/11 11:07, gaz Heyes wrote: > Hehe I thought you were being awkward, ok the iframe isn't injected it > serves to read the data that is injected. So the img injection sends the > data from the page to the next single quote (including the script key) > to our evil server, Blimey. I had no idea the HTML content model was so broken that this sort of thing worked. I guess you could defeat this attack by prefixing every script key with the string '" i.e. <script> /* '" SCRIPT_KEY_HERE */ var valid_script = 0; ... </script> But I agree that's a bit of a pain to do. We could make it so that the only valid script-keys were ones which began "' ... ! Gerv
Received on Friday, 28 January 2011 11:18:40 UTC