[whatwg] idea about html code security anti xss
Ian Hickson
ian at hixie.ch
Mon Aug 9 15:36:59 PDT 2010
On Wed, 16 Jun 2010, gabmeyer at westweb.at wrote:
>
> I had just this idea after reading so much about xss and code injection.
>
> I think there is a simple solution:
>
> 1.)
> I now invent an attribute called strlen=""
>
> I append this to a <div strlen="94843">htmlcode with strlen of 94843 bytes including whitespace</div>
>
> The browser know knows the exact position where the divtag must end.
>
> You cannot inject some code that closes the tag before.
>
> 2.)
> you can now control the code inside the div.
> you can also append a second attribute called "secure" that prevents any scriptcode to run from inside the div.
On Wed, 16 Jun 2010, Anne van Kesteren wrote:
>
> We considered something like this before, but it was thought to be too
> complicated and not backwards compatible enough. In the current draft
> you will find <iframe srcdoc=...></iframe> which does what you propose
> with the relatively small change that the sandboxed code is inside an
> attribute rather than an element. For fallback the src attribute can be
> used.
Indeed.
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg
mailing list