- From: gaz Heyes <gazheyes@gmail.com>
- Date: Thu, 16 Jun 2011 20:34:40 +0100
- To: Jarred Nicholls <jarred@sencha.com>
- Cc: sird@rckc.at, public-web-security@w3.org
Received on Thursday, 16 June 2011 19:35:18 UTC
On 16 June 2011 18:55, Jarred Nicholls <jarred@sencha.com> wrote:
> I'm not following, why would there be a difference in treatment between DOM
> access and the parser?
>
Normally string data isn't accepted with an event specified in the DOM. So
something like:-
document.getElementById('x').onclick=function(){};
So I thought since CSP disables eval, setTimeout etc setAttribute should be
included because it converts string data into JavaScript code. For example:-
document.getElementById('x').setAttribute('onclick','alert(1)');
You obviously all don't agree and that's fine
Received on Thursday, 16 June 2011 19:35:18 UTC