- From: Bjoern Hoehrmann <derhoermi@gmx.net>
- Date: Fri, 21 Mar 2014 15:56:43 +0100
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: "www-dom@w3.org" <www-dom@w3.org>, jruderman@gmail.com
* Anne van Kesteren wrote: >In https://bugzilla.mozilla.org/show_bug.cgi?id=974212 Jesse Ruderman >points out that something like > >var comment = document.createComment("--><img src=/ >onerror=alert('mXSS')><!--"); > >can be dangerous when serialized and then parsed again. > >I believe there were quite a few of these (see the bug for another) >and although the DOM has some checks on code points here and there, we >do not do much to ensure a sane DOM or a sane serialization thereof. > >I guess the question is whether we should and how we should go about >that given compatibility constraints. This is a case of silent data corruption and I would expect the proposal in the comment to "truncate the comment, omit/replace/escape the '<'", which would also be silent data corruption, would likely cause further hazards. It is probably not possible to correct the format design error and make it possible to use "-->" inside a comment (add escaping method) so I would recommend gathering data whether serialisation can throw in this and other relevant cases. I note that there have been regressions in this regard, e.g. http://shadowregistry.org/js/misc/#t89f85567cca6af6d5483b404fb7e2733 Firefox used to throw on `XMLSerializer().serializeToString(...)` when a comment includes `--` and http://shadowregistry.org/js/misc/#t25efa52b5d0a8bbc6a0a6f512dc68d94 only Firefox throws for processing instructions containing `?>`. I do suspect there are serious compatibility issues for `innerHTML` though, so this might be calling for an opt-in (a CSP directive or something). -- Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de 25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
Received on Friday, 21 March 2014 14:57:13 UTC