[whatwg] some thoughts on sandboxed IFRAMEs
Simetrical+w3c at gmail.com
Thu Feb 4 16:48:07 PST 2010
On Thu, Feb 4, 2010 at 12:44 PM, Michal Zalewski <lcamtuf at coredump.cx> wrote:
> The same argument could be made for not escaping <, but I don't think
> it's valid in practice - particularly for (hypothetically) constrained
> input fields.
The use-cases for srcdoc are only where you expect HTML input. HTML
input is very likely to contain " or '. By contrast, ordinary XSS
usually occurs when < is unlikely to occur in legitimate input, so you
won't spot it right away -- as you say, constrained input fields. Why
would anyone, even someone who's extremely confused and/or ignorant,
even *attempt* to use srcdoc to contain anything other than HTML?
More information about the whatwg