W3C home > Mailing lists > Public > whatwg@whatwg.org > February 2010

[whatwg] some thoughts on sandboxed IFRAMEs

From: Aryeh Gregor <Simetrical+w3c@gmail.com>
Date: Thu, 4 Feb 2010 19:48:07 -0500
Message-ID: <7c2a12e21002041648x1fd75a31gf8b504bbda5a8bf3@mail.gmail.com>
On Thu, Feb 4, 2010 at 12:44 PM, Michal Zalewski <lcamtuf at coredump.cx> wrote:
> The same argument could be made for not escaping <, but I don't think
> it's valid in practice - particularly for (hypothetically) constrained
> input fields.

The use-cases for srcdoc are only where you expect HTML input.  HTML
input is very likely to contain " or '.  By contrast, ordinary XSS
usually occurs when < is unlikely to occur in legitimate input, so you
won't spot it right away -- as you say, constrained input fields.  Why
would anyone, even someone who's extremely confused and/or ignorant,
even *attempt* to use srcdoc to contain anything other than HTML?
Received on Thursday, 4 February 2010 16:48:07 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:20 UTC