> On 13 Oct 2017, at 09:42, Dave Cridland <[email protected]> wrote: > > On 13 October 2017 at 09:20, Kevin Smith <[email protected]> wrote: >> On 12 Oct 2017, at 21:22, Dave Cridland <[email protected]> wrote: >>> I hereby promise a concrete proposal on >>> these - it ought to handle a few other cases too. >> >> Ta, I think that’s needed for the discussion. One issue here is that I think >> Sam’s argument is that it’s >> 1) too tempting, for whatever reason, when you have a chunk of HTML you want >> to render to dump it straight into .innerHTML or such without sanitisation >> 2) fundamentally impossible to put a sufficient amount of verbiage into >> XHTML-IM to mitigate this inclination >> 3) not acceptable that we have a spec that leads, through this temptation, >> to people injecting straight into the DOM >> > > Seems a reasonable summary. > > I might add that: > > 4) XHTML-IM is a sledgehammer to crack the nut of what users actually want. > > There *is* generic protection here on modern browsers, mind - you need > to render the XHTML inside a sandboxed, CSP'd iframe, I believe. > >> This leads me to wonder whether the replacement is going to go something >> like: >> >> A) There’s a new spec that says *something* should render something in bold >> B) Devs implement this by converting *something* into <b>something</b> >> C) Devs now have a chunk fo HTML that they want to render >> D) See (1) >> E) See (2) >> F) See (3) >> > > Well, no. > > Let's say that, given certain handwaving, a UA decides to render > *something* as bold, and the implementation does this by > <b>something</b>. > > a) Is it likely that the conversion from a Markdown-like syntax will > intentionally generate malicious HTML?
No. > b) Is it likely that an attacker could cunningly manipulate a couple > of asterisks in order to generate such HTML? Yes > c) Is it likely that there will exist a generic attack against > virtually every web-based UA? If what Sam says is true, and they don’t try to do any sort of sanitisation, could well be. > With XHTML-IM, the answer to all three is "yes". With something > Markdownish, I don't think it is. As I said in xsf@ “”" I don't think the move towards something markdownish is actually stupid, FWIW, and I think it's much much easier to sanitise something that you can write your own parser/serialiser for, than XHTML-IM. So I don't think this is a bad direction. It is much easier for diligent devs to get it right. I'm just not sure I buy the argument that it's going to suddenly make anyone who wants to dump things into a DOM unsanitised safe. “”” If Sam’s premise that as soon as they have HTML, devs will just try to inject it is right, then I think that suggests that something like Hi there *friend*<script>…</script> is going to produce issues. It absolutely should not. It is trivial to avoid it. But I think that it’s fundamentally weird to claim that when implementing markdownish, non-diligent devs won’t just inject HTML, but while implementing XHTML-IM they will. So I’d like to strike “Stupid people will do stupid things” from the agenda of the discussion, and move it towards “What do we need so that diligent but fallible people are likely to get it right”. /K _______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: [email protected] _______________________________________________
