[whatwg] XSS safe templating

Henri Sivonen hsivonen at iki.fi
Fri Mar 12 07:04:19 PST 2010

On Mar 11, 2010, at 20:18, Mike Samuel wrote:

> I think I can probably do without new HTML5 stuff.

OK. One supplemental point:

On Mar 10, 2010, at 20:15, Mike Samuel wrote:

> document.write can be wrapped.  But the wrapper would still need to
> know the insertion-mode.
> If the insertion mode were exposed, or at least some context were
> given -- enough to know whether the next char if not something that
> changed the current token, would be interpreted as
>  * inside a tag
>  * outside a tag in a comment / application instruction / doctype
>  * outside a tag in a PCDATA/RCDATA/CDATA context and ideally in what
> kind of containing tag
>  * outside a tag in a CDATA section.

That's not the insertion mode. That's the tokenizer state.

Whenever a script that is eligible to write to the stream starts running, the tokenizer is in the "data" state. Therefore, if you control all the scripts on the page, and wrap document.write(), you already have a stable initial tokenizer state provided to you by the host browser's parser and you can predict the state transitions from there.

If you have arbitrary other scripts on the page whose execution may be interleaved with the execution of your wrapper in unexpected ways, you've already lost XSS-safety overall.

Henri Sivonen
hsivonen at iki.fi

More information about the whatwg mailing list