W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2016

Re: In-browser sanitization vs. a “Safe Node” in the DOM

From: Anne van Kesteren <annevk@annevk.nl>
Date: Fri, 22 Jan 2016 09:19:12 +0100
Message-ID: <CADnb78hsQaDf1t-fW+XESxwRGo2ueLKwa+5L7d6ZWoGdObzRiw@mail.gmail.com>
To: David Ross <drx@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Thu, Jan 21, 2016 at 11:52 PM, David Ross <drx@google.com> wrote:
> Safety is enforced by the fact that the untrusted markup is contained
> within a Safe Node.  Breakout is prevented by the design pattern shown
> above.  (e.g.: Setting innerHTML will inherently never allow breaking
> out of the containing node.)

But if you instead use traversal, cloning, etc. it would be possible?

And with sites that use event delegation you could spoof buttons and such.

Received on Friday, 22 January 2016 08:19:39 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:54 UTC