- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Thu, 14 Oct 2010 18:30:06 +0200
- To: "Tab Atkins Jr." <jackalmage@gmail.com>
- CC: Andrew Fedoniouk <news@terrainformatica.com>, HTML WG <public-html@w3.org>
On 14.10.2010 18:23, Tab Atkins Jr. wrote: > ... > No, it does not. This has exactly the same issues as the most naive > solution to the problem, a<sandbox> element. Namely, the content you > include inside the script can have an unmatched</script>, breaking it > out of the sandbox and letting anything that follows be treated as > part of the normal page. Arbitrary XSS follows in the obvious way. > > The discussion surrounding this issue went over this in depth, and my > Change Proposal quickly summarized the issues around it and several > similar solutions. I suggest reading my Change Proposal first before > making further suggestions, as it is very likely that your idea has > already been discussed and found wanting. This is a hard area where > the solutions are pulled in several different directions. > ... Well. Putting the user-supplied text into @srcdoc requires escaping. Putting it into an element requires escaping as well, but once you understand you need to escape, where's the big difference? Best regards, Julian
Received on Thursday, 14 October 2010 16:30:46 UTC