W3C home > Mailing lists > Public > www-dom@w3.org > January to March 2014

Prevent reparsing attacks?

From: Anne van Kesteren <annevk@annevk.nl>
Date: Fri, 21 Mar 2014 13:42:44 +0000
Message-ID: <CADnb78iR1oPs42g76PVfOUW0zusxTXh6wq+SXy4mRY8ceafxTg@mail.gmail.com>
To: "www-dom@w3.org" <www-dom@w3.org>
Cc: jruderman@gmail.com
In https://bugzilla.mozilla.org/show_bug.cgi?id=974212 Jesse Ruderman
points out that something like

var comment = document.createComment("--><img src=/
onerror=alert('mXSS')><!--");

can be dangerous when serialized and then parsed again.

I believe there were quite a few of these (see the bug for another)
and although the DOM has some checks on code points here and there, we
do not do much to ensure a sane DOM or a sane serialization thereof.

I guess the question is whether we should and how we should go about
that given compatibility constraints.

Thoughts?


-- 
http://annevankesteren.nl/
Received on Friday, 21 March 2014 13:43:17 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 20 October 2015 10:46:22 UTC