- From: gaz Heyes <gazheyes@gmail.com>
- Date: Wed, 30 Nov 2011 08:57:31 +0000
- To: "sird@rckc.at" <sird@rckc.at>
- Cc: "public-web-security@w3.org" <public-web-security@w3.org>
- Message-ID: <CADJi-in6+Ummu-92nqeCe0+gP6RSfwH7k-BtO2aJ2L_ZN2Mqbw@mail.gmail.com>
Not sure it helps in this instance since you'd need a seamless/sandboxed iframe for every instance of the operation and what if you want to alter innerHTML inside a child node of what you've sandboxed. Unless I'm not getting your point. Oh btw this works in IE7 too xD On 30 November 2011 03:29, sird@rckc.at <sird@rckc.at> wrote: > You could use iframe@sandbox(allow-same-origin) + seamless to make it > secure I think? > > -- Eduardo > > > > > On Tue, Nov 29, 2011 at 1:33 AM, gaz Heyes <gazheyes@gmail.com> wrote: > >> Hi all >> >> I decided to add staticHTML support in JavaScript. Hopefully this will be >> supported by the various vendors and should be much more secure than my >> version since you can have access to the DOM before it's rendered but for >> now it works via the Element prototype. There were a couple of problems I'd >> like to discuss, I couldn't find a way of allowing an element to be >> positioned or alter it's dimensions without affecting elements around it. >> >> For example if an evil user where to do >> document.getElementById('x').staticHTML='<a href="//evilsite" >> style="position:absolute;left:100px;top:100px;">I'm overlapping something I >> shouldn't</a>'; then just via the property there isn't any way I could >> figure to protect against it. Maybe you could have an staticHTML area which >> would solve the problem by restricting all modifications to this area. Also >> I guess styles are useless too since adding directly to the DOM won't allow >> styles to be rendered, I could add a staticCssText option which could solve >> the problem. >> >> The other problem I had is that any element which has a class, id or name >> must be modified to make it safe from affecting the rest of the page, you >> wouldn't want a evil user to assign or modify an existing css class for >> example. The only way round this I could see was to prefix the staticHTML >> with a staticHTML appid to prevent it from being able to modify outside of >> it's zone. Anyway I hope you support it :D >> >> Blog post here: >> http://www.thespanner.co.uk/2011/11/29/statichtml-property/ >> >> Demo here: >> http://www.businessinfo.co.uk/labs/staticHTML/staticHTML.html >> >> Cheers >> >> Gareth >> > >
Received on Wednesday, 30 November 2011 08:58:09 UTC