[whatwg] idea about html code security anti xss

Ashley Sheridan ash at ashleysheridan.co.uk
Tue Jun 15 18:27:47 PDT 2010

On Wed, 2010-06-16 at 03:19 +0200, gabmeyer at westweb.at wrote:

> Hello,
> I had just this idea after reading so much about xss and code injection.
> I think there is a simple solution:
> 1.)
> I now invent an attribute called strlen=""
> I append this to a <div strlen="94843">htmlcode with strlen of 94843 bytes including whitespace</div>
> The browser know knows the exact position where the divtag must end.
> You cannot inject some code that closes the tag before.
> 2.) 
> you can now control the code inside the div.
> you can also append a second attribute called "secure" that prevents any scriptcode to run from inside the div.
> Maybe this idea is not new, or does not work.
> Please let me know what you think about this idea.
> Christian Gabmeyer 

Your strlen attribute won't solve the issue, as the server-side script
that will be generating that figure has already ignored the XSS code (if
it wasn't missing it, there wouldn't be a problem in the first place!)

Second, I don't think an attribute is going to work to prevent script
running. What if you had your own script event handlers there? Also,
what about attacks which will leave your tags closed off and open new

Person inserts their name as '</a><a href="badsite">Bob</a>' (without
the single quotes) which gets shoved into a database someplace and then
output later on a page inside a link tag to their profile page (for
example), so instead of <a href="profile">Bob</a>, you get <a
href="profile"></a><a href="badsite">Bob</a>.

Very simple example, where no script is being run, but still bad code.
This is an issue which needs more attention on the server-side of things
I feel.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20100616/9ac4f4f3/attachment-0002.htm>

More information about the whatwg mailing list