Boris Zbarsky wrote:
Robert Sayre wrote:
We could disallow DOM modification by non-chrome, but allow innerHTML.
So when a page tried to access part of itself it would get an
exception?
Sure, if it's important to prevent the case where "someone clones nodes
they got via XMLHttpRequest and then inserts them".
I guess it depends on what you meant by "doomed to failure." I'm only
trying to solve one authoring problem. Consider your typical CGI or PHP
script. They're writing HTML (and XML) with string concatenation, like this:
echo("<div>" + user_submitted_text + "</div>");
A professional might have
echo("<div>" + strip_dangerous(user_submitted_text) + "</div>");
and the strip_dangerous function might be very good indeed at an
operation with lots of resources, like Bloglines or Google Reader. But
even they get tripped up regularly, because they haven't reverse
engineered /parser/htmlparser and the strip_dangerous function tends to
execute separately from the code that writes to the wire (where the
encodings get mangled, etc). I want to give authors a replacement string
for the "<div>" portions of the examples, and remove the burden of
implementing an HTML parser from websites that want to include
user-submitted content.
-Rob
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
