W3C home > Mailing lists > Public > whatwg@whatwg.org > July 2008

[whatwg] The <iframe> element and sandboxing ideas

From: James Ide <ide@berkeley.edu>
Date: Mon, 21 Jul 2008 16:22:24 -0700
Message-ID: <fb9bd46d0807211622t296b8fefs3ba98e24eccaf442@mail.gmail.com>
I'm not sure that I follow - it seems to me that searching for unescaped
text and failing is not a reliable solution. As you mention:

> The problem is 1: that the user can easily write </span> in his comment and
> bypass the sandbox and 2: it is not backward compatible.
>

 Say I input "</span>" and the application developer has forgotten to
sanitize user input or permits use of the <span> tag (and has done some poor
checking for well-formed code). The application may later display a page
with my input, thus containing (e.g.): <span sandbox=1> </span> </span>,
where "</span>" in the middle is my input.

Is this a span element with unescaped content ("</span>"), or is it
malformed HTML? In my eyes, it's the latter and if any UA were to treat it
this way, it would be trivial to inject more harmful code. On a side note,
would comments be permitted inside a sandbox? Developers may wish to have
this functionality, but there is also the concern of a malicious user
submitting the string "<!--", which, from some brief testing, appears to
cause problems in IE6 and possibly more UAs. I do not have significant
experience with parsers so I can't say for sure if these issues are
showstoppers but they raise some concerns.

If the browser finds unescaped content inside a sandbox it should refuse to
> display the page - thereby forcing the author to fix this immediately.
>

As mentioned previously on the topic of sandboxes, such a strict failing
policy may not be desirable. Perhaps a more gentle approach is only not to
render the sandbox's contents and perhaps display an error message in its
stead.

Overall, I'm seeing sandbox elements to be weak safety nets. AFAIK, there is
no way for a UA alone to perfectly determine what is author- or
developer-generated and what is user-submitted; user input must go through
some santizing process to be completely safe.

- James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20080721/8e7bb76c/attachment.htm>
Received on Monday, 21 July 2008 16:22:24 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:03 UTC