W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2016

Re: In-browser sanitization vs. a “Safe Node” in the DOM

From: Anne van Kesteren <annevk@annevk.nl>
Date: Fri, 22 Jan 2016 09:19:12 +0100
Message-ID: <CADnb78hsQaDf1t-fW+XESxwRGo2ueLKwa+5L7d6ZWoGdObzRiw@mail.gmail.com>
To: David Ross <drx@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Thu, Jan 21, 2016 at 11:52 PM, David Ross <drx@google.com> wrote:
> Safety is enforced by the fact that the untrusted markup is contained
> within a Safe Node.  Breakout is prevented by the design pattern shown
> above.  (e.g.: Setting innerHTML will inherently never allow breaking
> out of the containing node.)

But if you instead use traversal, cloning, etc. it would be possible?

And with sites that use event delegation you could spoof buttons and such.


-- 
https://annevankesteren.nl/
Received on Friday, 22 January 2016 08:19:39 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:17 UTC