W3C home > Mailing lists > Public > www-dom@w3.org > January to March 2014

Re: Prevent reparsing attacks?

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Fri, 21 Mar 2014 15:56:43 +0100
To: Anne van Kesteren <annevk@annevk.nl>
Cc: "www-dom@w3.org" <www-dom@w3.org>, jruderman@gmail.com
Message-ID: <41koi91rb2pb7rsdjd3hdm6j2tvppoq6cv@hive.bjoern.hoehrmann.de>
* Anne van Kesteren wrote:
>In https://bugzilla.mozilla.org/show_bug.cgi?id=974212 Jesse Ruderman
>points out that something like
>
>var comment = document.createComment("--><img src=/
>onerror=alert('mXSS')><!--");
>
>can be dangerous when serialized and then parsed again.
>
>I believe there were quite a few of these (see the bug for another)
>and although the DOM has some checks on code points here and there, we
>do not do much to ensure a sane DOM or a sane serialization thereof.
>
>I guess the question is whether we should and how we should go about
>that given compatibility constraints.

This is a case of silent data corruption and I would expect the proposal
in the comment to "truncate the comment, omit/replace/escape the '<'",
which would also be silent data corruption, would likely cause further
hazards. It is probably not possible to correct the format design error
and make it possible to use "-->" inside a comment (add escaping method)
so I would recommend gathering data whether serialisation can throw in
this and other relevant cases. I note that there have been regressions
in this regard, e.g.

  http://shadowregistry.org/js/misc/#t89f85567cca6af6d5483b404fb7e2733

Firefox used to throw on `XMLSerializer().serializeToString(...)` when a
comment includes `--` and

  http://shadowregistry.org/js/misc/#t25efa52b5d0a8bbc6a0a6f512dc68d94

only Firefox throws for processing instructions containing `?>`. I do
suspect there are serious compatibility issues for `innerHTML` though,
so this might be calling for an opt-in (a CSP directive or something).
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
Received on Friday, 21 March 2014 14:57:13 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 20 October 2015 10:46:22 UTC