- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Fri, 21 Mar 2014 13:42:44 +0000
- To: "www-dom@w3.org" <www-dom@w3.org>
- Cc: jruderman@gmail.com
In https://bugzilla.mozilla.org/show_bug.cgi?id=974212 Jesse Ruderman
points out that something like
var comment = document.createComment("--><img src=/
onerror=alert('mXSS')><!--");
can be dangerous when serialized and then parsed again.
I believe there were quite a few of these (see the bug for another)
and although the DOM has some checks on code points here and there, we
do not do much to ensure a sane DOM or a sane serialization thereof.
I guess the question is whether we should and how we should go about
that given compatibility constraints.
Thoughts?
--
http://annevankesteren.nl/
Received on Friday, 21 March 2014 13:43:17 UTC