[whatwg] some thoughts on sandboxed IFRAMEs
Michal Zalewski
lcamtuf at coredump.cx
Sun Dec 13 17:41:28 PST 2009
> <span sandbox><span>But this span will have another span as its
> child, sandboxed. The regular parser sees no entities here, only a
> nested span!</span></span>
That's a pretty reasonable variant for lightweight sandboxes, IMO. It
does not have the explicit assurance of a token-based approach (i.e.,
will not fail right away if the user gets it wrong), but it's better
than data: URLs or @doc in that - as you noted - it will fail quickly
if the encapsulated HTML is not escaped, while this may still go
unnoticed until abused:
<iframe sandbox doc="<h1>User input without escaping"></iframe>
<iframe sandbox src="data:text/html,<h1>User input without escaping"></iframe>
As a side note, the other benefit of sandboxed spans and divs in such
a design is that you can then have .innerHTML on sandbox-tagged
elements automagically conform to the sandboxing rules, without the
need for .toStaticHTML, .secureInnerHTML, or similar approaches (which
are error-prone by the virtue of tying sanitization to data access
method, rather than a particular element).
/mz
More information about the whatwg
mailing list