[whatwg] some thoughts on sandboxed IFRAMEs

> <span sandbox>&lt;span&gt;But this span will have another span as its
> child, sandboxed. ?The regular parser sees no entities here, only a
> nested span!&lt;/span&gt;</span>

That's a pretty reasonable variant for lightweight sandboxes, IMO. It
does not have the explicit assurance of a token-based approach (i.e.,
will not fail right away if the user gets it wrong), but it's better
than data: URLs or @doc in that - as you noted - it will fail quickly
if the encapsulated HTML is not escaped, while this may still go
unnoticed until abused:

<iframe sandbox doc="<h1>User input without escaping"></iframe>
<iframe sandbox src="data:text/html,<h1>User input without escaping"></iframe>

As a side note, the other benefit of sandboxed spans and divs in such
a design is that you can then have .innerHTML on sandbox-tagged
elements automagically conform to the sandboxing rules, without the
need for .toStaticHTML, .secureInnerHTML, or similar approaches (which
are error-prone by the virtue of tying sanitization to data access
method, rather than a particular element).

/mz

Received on Sunday, 13 December 2009 17:41:28 UTC