[whatwg] some thoughts on sandboxed IFRAMEs

Aryeh Gregor Simetrical+w3c at gmail.com
Thu Feb 4 16:48:07 PST 2010

On Thu, Feb 4, 2010 at 12:44 PM, Michal Zalewski <lcamtuf at coredump.cx> wrote:
> The same argument could be made for not escaping <, but I don't think
> it's valid in practice - particularly for (hypothetically) constrained
> input fields.

The use-cases for srcdoc are only where you expect HTML input.  HTML
input is very likely to contain " or '.  By contrast, ordinary XSS
usually occurs when < is unlikely to occur in legitimate input, so you
won't spot it right away -- as you say, constrained input fields.  Why
would anyone, even someone who's extremely confused and/or ignorant,
even *attempt* to use srcdoc to contain anything other than HTML?

More information about the whatwg mailing list