W3C home > Mailing lists > Public > whatwg@whatwg.org > June 2010

[whatwg] idea about html code security anti xss

From: <gabmeyer@westweb.at>
Date: Wed, 16 Jun 2010 03:19:59 +0200
Message-ID: <3af83ce0d91e3892141b5fe5ad80903f@www.modtest.lan>
Hello,

I had just this idea after reading so much about xss and code injection.

I think there is a simple solution:

1.)
I now invent an attribute called strlen=""

I append this to a <div strlen="94843">htmlcode with strlen of 94843 bytes including whitespace</div>

The browser know knows the exact position where the divtag must end.

You cannot inject some code that closes the tag before.

2.) 
you can now control the code inside the div.
you can also append a second attribute called "secure" that prevents any scriptcode to run from inside the div.


Maybe this idea is not new, or does not work.

Please let me know what you think about this idea.

Christian Gabmeyer 
Received on Tuesday, 15 June 2010 18:19:59 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:24 UTC