[whatwg] The <iframe> element and sandboxing ideas

Frode Børli frode at seria.no
Tue Jul 22 15:22:07 PDT 2008

The server must escape all user generated content by replacing < with
< etc. This is perfectly secure for all existing browsers. The
sandbox instructs the browser to unescape. Completely fail safe for

On 7/22/08, James Ide <ide at berkeley.edu> wrote:
> I'm not sure that I follow - it seems to me that searching for unescaped
> text and failing is not a reliable solution. As you mention:
>> The problem is 1: that the user can easily write </span> in his comment
>> and
>> bypass the sandbox and 2: it is not backward compatible.
>  Say I input "</span>" and the application developer has forgotten to
> sanitize user input or permits use of the <span> tag (and has done some poor
> checking for well-formed code). The application may later display a page
> with my input, thus containing (e.g.): <span sandbox=1> </span> </span>,
> where "</span>" in the middle is my input.
> Is this a span element with unescaped content ("</span>"), or is it
> malformed HTML? In my eyes, it's the latter and if any UA were to treat it
> this way, it would be trivial to inject more harmful code. On a side note,
> would comments be permitted inside a sandbox? Developers may wish to have
> this functionality, but there is also the concern of a malicious user
> submitting the string "<!--", which, from some brief testing, appears to
> cause problems in IE6 and possibly more UAs. I do not have significant
> experience with parsers so I can't say for sure if these issues are
> showstoppers but they raise some concerns.
> If the browser finds unescaped content inside a sandbox it should refuse to
>> display the page - thereby forcing the author to fix this immediately.
> As mentioned previously on the topic of sandboxes, such a strict failing
> policy may not be desirable. Perhaps a more gentle approach is only not to
> render the sandbox's contents and perhaps display an error message in its
> stead.
> Overall, I'm seeing sandbox elements to be weak safety nets. AFAIK, there is
> no way for a UA alone to perfectly determine what is author- or
> developer-generated and what is user-submitted; user input must go through
> some santizing process to be completely safe.
> - James

Sent from Gmail for mobile | mobile.google.com

Best regards / Med vennlig hilsen
Frode Børli

+47 406 16 637
+47 216 90 000
+47 216 91 000

Think about the environment. Do not print this e-mail unless you really need to.

Tenk miljø. Ikke skriv ut denne e-posten dersom det ikke er nødvendig.

More information about the whatwg mailing list