- From: Ian Hickson <ian@hixie.ch>
- Date: Mon, 9 Aug 2010 22:36:59 +0000 (UTC)
On Wed, 16 Jun 2010, gabmeyer at westweb.at wrote: > > I had just this idea after reading so much about xss and code injection. > > I think there is a simple solution: > > 1.) > I now invent an attribute called strlen="" > > I append this to a <div strlen="94843">htmlcode with strlen of 94843 bytes including whitespace</div> > > The browser know knows the exact position where the divtag must end. > > You cannot inject some code that closes the tag before. > > 2.) > you can now control the code inside the div. > you can also append a second attribute called "secure" that prevents any scriptcode to run from inside the div. On Wed, 16 Jun 2010, Anne van Kesteren wrote: > > We considered something like this before, but it was thought to be too > complicated and not backwards compatible enough. In the current draft > you will find <iframe srcdoc=...></iframe> which does what you propose > with the relatively small change that the sandboxed code is inside an > attribute rather than an element. For fallback the src attribute can be > used. Indeed. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Monday, 9 August 2010 15:36:59 UTC