W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2013

Re: CSP/innerHTML/JS Sandbox

From: Paul Theriault <ptheriault@mozilla.com>
Date: Wed, 8 May 2013 09:04:28 -0700
Cc: "Carson, Cory" <Cory.Carson@boeing.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-Id: <D3636F59-B18F-4BA3-B048-19F8C73FADFA@mozilla.com>
To: Eduardo' Vela <evn@google.com>
An implementation of a sanitizer using this approach is bleach.js: https://github.com/asutherland/bleach.js/blob/master/lib/bleach.js

On May 7, 2013, at 7:31 PM, Eduardo' Vela wrote:

> It seems one can do:
> var doc = document.implementation.createHTMLDocument('');
> var r = doc.createRange();
> r.selectNodeContents(doc.body);
> var df = r.createContextualFragment("<a href=javascript:alert(1) onclick=alert(2)>");
> 
> And then do a whitelist over the document fragment nodes, and then import the node into the current document. Apparently, documents without a view don't execute javascript.
Received on Wednesday, 8 May 2013 17:49:53 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:01 UTC