W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2014

Re: HTML imports: new XSS hole?

From: Giorgio Maone <g.maone@informaction.com>
Date: Mon, 02 Jun 2014 22:21:43 +0200
Message-ID: <538CDCD7.6070103@informaction.com>
To: Boris Zbarsky <bzbarsky@MIT.EDU>, public-webapps@w3.org
On 02/06/2014 15:01, Boris Zbarsky wrote:
> On 6/2/14, 8:54 AM, James M Snell wrote:
>> So long as they're handled with the same policy and restrictions as the
>> script tag, it shouldn't be any worse.
>
> It's worse for sites that have some sort of filtering on user-provided
> content but don't catch this case right now, no?
>
> -Boris
>

I do hope any filter already blocked out <link> elements, as CSS has
been a XSS vector for a long time, courtesy of MSIE expressions and XBL
bindings.
-- G
Received on Monday, 2 June 2014 20:22:09 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:14:24 UTC