[whatwg] updateWithSanitizedHTML (was Re: innerStaticHTML)

Kornel Lesiński kornel at geekhood.net
Tue Dec 1 02:38:57 PST 2009


> The WebKit community is considering taking up such an experimental
> implementation.  Here's my current proposal for how this might work:
>
> http://docs.google.com/Doc?docid=0AZpchfQ5mBrEZGQ0cDh3YzRfMTJzbTY1cWJrNA&hl=en
>
> I would appreciate any feedback on the design.

Whitelist requires developers to know about potential risks of each  
element/property, and that's not obvious to everyone: e.g. one might  
want to allow object/embed (for harmless YouTube videos) without  
realizing that it enables XSS.

It's also non-obvious that style attribute is XSS risk (via behavior  
property). Higher-level filtering option could allow style attribute,  
and only filter out that property. Current proposal would need another  
whitelist for CSS properties.

And even whitelist for CSS properties couldn't be used to implement  
"No external access" policy (allow images with data: urls, allow http:  
links, but not http: images). This would be useful for webmails and  
other places where website doesn't want to allow 3rd parties tracking  
views.

"No clickjacking" option might be useful as well.

-- 
regards, Kornel Lesiński




More information about the whatwg mailing list