- From: Michal Zalewski <lcamtuf@coredump.cx>
- Date: Sun, 13 Dec 2009 17:41:28 -0800
> <span sandbox><span>But this span will have another span as its > child, sandboxed. ?The regular parser sees no entities here, only a > nested span!</span></span> That's a pretty reasonable variant for lightweight sandboxes, IMO. It does not have the explicit assurance of a token-based approach (i.e., will not fail right away if the user gets it wrong), but it's better than data: URLs or @doc in that - as you noted - it will fail quickly if the encapsulated HTML is not escaped, while this may still go unnoticed until abused: <iframe sandbox doc="<h1>User input without escaping"></iframe> <iframe sandbox src="data:text/html,<h1>User input without escaping"></iframe> As a side note, the other benefit of sandboxed spans and divs in such a design is that you can then have .innerHTML on sandbox-tagged elements automagically conform to the sandboxing rules, without the need for .toStaticHTML, .secureInnerHTML, or similar approaches (which are error-prone by the virtue of tying sanitization to data access method, rather than a particular element). /mz
Received on Sunday, 13 December 2009 17:41:28 UTC