Re: staticHTML support from gaz Heyes on 2011-11-30 (public-web-security@w3.org from November 2011)

From: gaz Heyes <gazheyes@gmail.com>
Date: Wed, 30 Nov 2011 08:57:31 +0000
To: "sird@rckc.at" <sird@rckc.at>
Cc: "public-web-security@w3.org" <public-web-security@w3.org>
Message-ID: <CADJi-in6+Ummu-92nqeCe0+gP6RSfwH7k-BtO2aJ2L_ZN2Mqbw@mail.gmail.com>

Not sure it helps in this instance since you'd need a seamless/sandboxed
iframe for every instance of the operation and what if you want to alter
innerHTML inside a child node of what you've sandboxed. Unless I'm not
getting your point. Oh btw this works in IE7 too xD

On 30 November 2011 03:29, sird@rckc.at <sird@rckc.at> wrote:

> You could use iframe@sandbox(allow-same-origin) + seamless to make it
> secure I think?
>
> -- Eduardo
>
>
>
>
> On Tue, Nov 29, 2011 at 1:33 AM, gaz Heyes <gazheyes@gmail.com> wrote:
>
>> Hi all
>>
>> I decided to add staticHTML support in JavaScript. Hopefully this will be
>> supported by the various vendors and should be much more secure than my
>> version since you can have access to the DOM before it's rendered but for
>> now it works via the Element prototype. There were a couple of problems I'd
>> like to discuss, I couldn't find a way of allowing an element to be
>> positioned or alter it's dimensions without affecting elements around it.
>>
>> For example if an evil user where to do
>> document.getElementById('x').staticHTML='<a href="//evilsite"
>> style="position:absolute;left:100px;top:100px;">I'm overlapping something I
>> shouldn't</a>'; then just via the property there isn't any way I could
>> figure to protect against it. Maybe you could have an staticHTML area which
>> would solve the problem by restricting all modifications to this area. Also
>> I guess styles are useless too since adding directly to the DOM won't allow
>> styles to be rendered, I could add a staticCssText option which could solve
>> the problem.
>>
>> The other problem I had is that any element which has a class, id or name
>> must be modified to make it safe from affecting the rest of the page, you
>> wouldn't want a evil user to assign or modify an existing css class for
>> example. The only way round this I could see was to prefix the staticHTML
>> with a staticHTML appid to prevent it from being able to modify outside of
>> it's zone. Anyway I hope you support it :D
>>
>> Blog post here:
>> http://www.thespanner.co.uk/2011/11/29/statichtml-property/
>>
>> Demo here:
>> http://www.businessinfo.co.uk/labs/staticHTML/staticHTML.html
>>
>> Cheers
>>
>> Gareth
>>
>
>

Received on Wednesday, 30 November 2011 08:58:09 UTC