W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2013

Re: CSP/innerHTML/JS Sandbox

From: Eduardo' Vela <evn@google.com>
Date: Tue, 7 May 2013 19:31:10 -0700
Message-ID: <CAFswPa8eZ4ZqZWMFwR=xGgWdNVfXWKqyqatRN2BaSkNoZpUqLw@mail.gmail.com>
To: "Carson, Cory" <Cory.Carson@boeing.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
It seems one can do:
var doc = document.implementation.createHTMLDocument(''); var r =
doc.createRange(); r.selectNodeContents(doc.body); var df =
r.createContextualFragment("<a href=javascript:alert(1) onclick=alert(2)>");

And then do a whitelist over the document fragment nodes, and then import
the node into the current document. Apparently, documents without a view
don't execute javascript.
Received on Wednesday, 8 May 2013 02:31:57 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:33 UTC