- From: <sird@rckc.at>
- Date: Fri, 28 Jan 2011 11:55:18 -0600
- To: gaz Heyes <gazheyes@gmail.com>
- Cc: Adam Barth <w3c@adambarth.com>, Devdatta Akhawe <dev.akhawe@gmail.com>, Michal Zalewski <lcamtuf@coredump.cx>, Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org
Hey!
So, yes that's correct :P but you obviously html entify stuff inside
the attribute.
<iframe sandbox seamless srcdoc="<?php echo
strtr($user_input,Array("&"=>"&","\""=>""","<"=>"<",">"=>">"));
?>">
-- Eduardo
On Fri, Jan 28, 2011 at 11:16 AM, gaz Heyes <gazheyes@gmail.com> wrote:
> On 28 January 2011 16:56, sird@rckc.at <sird@rckc.at> wrote:
>>
>> Hi!
>>
>> The attribute "seamless" will do:
>>
>> 1. If you have b{color:blue} in the doc
>> 2. You have:
>> <iframe sandbox="allow-same-origin" seamless="seamless"
>> srcdoc="<b>xD</b>"></iframe>
>> 3. You get, a blue bold "xD".
>
> So it puts HTML content inside an attribute! How would it handle entities? I
> mean if an attribute is rendering as HTML then does ' become '? Who
> thought putting HTML in attributes was a good idea? Does that mean stuff
> like <a href=javascript&#58;alert(1)>test</a> I like the idea of
> externally included sandboxed HTML but not inline.
>
Received on Friday, 28 January 2011 17:56:11 UTC