- From: Arun Ranganathan <arun@mozilla.com>
- Date: Tue, 15 Jun 2010 18:29:50 -0700
On 6/15/10 6:19 PM, gabmeyer at westweb.at wrote: > Hello, > > I had just this idea after reading so much about xss and code injection. > > I think there is a simple solution: > > 1.) > I now invent an attribute called strlen="" > > I append this to a<div strlen="94843">htmlcode with strlen of 94843 bytes including whitespace</div> > > The browser know knows the exact position where the divtag must end. > > You cannot inject some code that closes the tag before. > > 2.) > you can now control the code inside the div. > you can also append a second attribute called "secure" that prevents any scriptcode to run from inside the div. > > > Maybe this idea is not new, or does not work. > > Please let me know what you think about this idea. > > Christian Gabmeyer > > I think one approach that we're interested in pursuing at Mozilla is the Content Security Policy approach: https://wiki.mozilla.org/Security/CSP/Specification In particular, restrictions on inline scripts, or at least on 'eval' might be useful here, along with other mitigation on loading cross-site content. We'd like this in the Firefox 4 timeframe. -- A* > > > >
Received on Tuesday, 15 June 2010 18:29:50 UTC