Tab Atkins Jr.
jackalmage at gmail.com
Thu May 7 07:25:51 PDT 2009
On Wed, May 6, 2009 at 4:01 PM, Robert O'Callahan <robert at ocallahan.org> wrote:
> On Wed, May 6, 2009 at 9:40 AM, João Eiras <joaoe at opera.com> wrote:
>> As part of a browser implementation team I can clearly say that the cases
>> where scripts should, or should not run are very hard to implement in a
>> cross browser compatible way. Marking those scripts or plugins are
>> non-executable would make everything much more complex and bug prone. Also,
>> it would be impossible to do that for a onevent attribute without all sorts
>> of problems.
>> The suggestion of marking content as non-executable doesn't solve
>> anything, because after setting innerStaticHTML another script might
>> serialize a piece of the affected DOM to string and back to a tree, and the
>> code could then execute, which would not be wanted.
>> The only viable solution, from my point of view, would be for the UA to
>> parse the string, and remove all untrusted content from the result tree
>> before appending to the document.
>> That would mean removing all onevent attributes, all scripts elements, all
>> plugins, etc. Basically, letting the UA implement all the filtering.
> I think that's actually what Adam is proposing. At least, it's what I had in
> mind when we discussed it.
I'm in favor of this. Browser-specified sanitizing, woo!
Obviously this doesn't replace the need for sandbox iframes (those are
still necessary for building a page using external html without
js-based sandbox-iframe situation.
More information about the whatwg