Blake Kaplan wrote:
If we just replace <div> with <strip_dangerous>, then it seems to me
that we've only moved the problem. Now, strip_dangerous has to be sure
to remove all possible insertions of "</strip_dangerous>" in
user_submitted_text, which, as you point out is hard if you haven't
fully reversed engineered parser/htmlparser.
Hmm. We don't have this problem with innerHTML, since we can disallow
the element within the string, and we could also get some context by
doing <strip_dangerous src="">.
The other thing I can thing of would be to allow some random stuff in
the tag name,
<strip_dangerous:737466a7bfc72727d95cc0c1aa9dc5e7>
</strip_dangerous:737466a7bfc72727d95cc0c1aa9dc5e7>
getting kind of ugly, I know.
-Rob
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
