- From: Eduardo' Vela <evn@google.com>
- Date: Tue, 7 May 2013 19:31:10 -0700
- To: "Carson, Cory" <Cory.Carson@boeing.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Received on Wednesday, 8 May 2013 02:31:57 UTC
It seems one can do:
var doc = document.implementation.createHTMLDocument(''); var r =
doc.createRange(); r.selectNodeContents(doc.body); var df =
r.createContextualFragment("<a href=javascript:alert(1) onclick=alert(2)>");
And then do a whitelist over the document fragment nodes, and then import
the node into the current document. Apparently, documents without a view
don't execute javascript.
Received on Wednesday, 8 May 2013 02:31:57 UTC