Re: CSP and innerHTML from Eduardo' Vela on 2013-04-30 (public-webappsec@w3.org from April 2013)

From: Eduardo' Vela <evn@google.com>
Date: Tue, 30 Apr 2013 12:09:54 -0700
To: "Hill, Brad" <bhill@paypal-inc.com>
Cc: "Carson, Cory" <Cory.Carson@boeing.com>, Ian Melven <imelven@mozilla.com>, WebAppSec WG <public-webappsec@w3.org>
Message-ID: <CAFswPa9-N-USP5fBeVrkjpBHB4p5VQqUQhi3SBsimU8D0oLO7w@mail.gmail.com>

Yes, that's a good analogy. We are not really concerned about traditional
XSS, but more of jQuery-type of APIs being misused, which are mostly
introduced by innerHTML being used instead of textContent/innerText, or
being used for WYSIWYG editors and rich text fields.

Received on Tuesday, 30 April 2013 19:10:41 UTC