Re: CSP XML Data with tokens from gaz Heyes on 2011-01-28 (public-web-security@w3.org from January 2011)

From: gaz Heyes <gazheyes@gmail.com>
Date: Fri, 28 Jan 2011 17:16:10 +0000
To: "sird@rckc.at" <sird@rckc.at>
Cc: Adam Barth <w3c@adambarth.com>, Devdatta Akhawe <dev.akhawe@gmail.com>, Michal Zalewski <lcamtuf@coredump.cx>, Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org
Message-ID: <AANLkTi=CJXjttdadt3uth7-Qmm4OFd1i=+ZsevuL81TU@mail.gmail.com>

On 28 January 2011 16:56, sird@rckc.at <sird@rckc.at> wrote:

> Hi!
>
> The attribute "seamless" will do:
>
> 1. If you have b{color:blue} in the doc
> 2. You have:
> <iframe sandbox="allow-same-origin" seamless="seamless"
> srcdoc="<b>xD</b>"></iframe>
> 3. You get, a blue bold "xD".
>

So it puts HTML content inside an attribute! How would it handle entities? I
mean if an attribute is rendering as HTML then does &#39; become '? Who
thought putting HTML in attributes was a good idea? Does that mean stuff
like <a href=javascript&amp;#58;alert(1)>test</a> I like the idea of
externally included sandboxed HTML but not inline.

Received on Friday, 28 January 2011 17:16:44 UTC