- From: Jarred Nicholls <jarred@sencha.com>
- Date: Thu, 16 Jun 2011 13:55:55 -0400
- To: gaz Heyes <gazheyes@gmail.com>
- Cc: sird@rckc.at, public-web-security@w3.org
Received on Thursday, 16 June 2011 17:56:43 UTC
On Thu, Jun 16, 2011 at 10:56 AM, gaz Heyes <gazheyes@gmail.com> wrote:
> On 16 June 2011 15:46, Eduardo Vela <sirdarckcat@gmail.com> wrote:
>
>> Its by design.
>>
>> This also works with inline-scripts enabled:
>>
>> document.write("<script>alert(1)</script>")
>>
>
> That's slightly different though, you're writing HTML but in my previous
> example it's clearly executing a string as JS but I take your point
>
I'm not following, why would there be a difference in treatment between DOM
access and the parser?
--
................................................................
*Sencha*
Jarred Nicholls, Senior Software Architect
@jarrednicholls
<http://twitter.com/jarrednicholls>
Received on Thursday, 16 June 2011 17:56:43 UTC