Bertrand Le Roy
Bertrand.Le.Roy at microsoft.com
Fri Jul 20 11:33:00 PDT 2007
That's actually a pretty good point, which forum developers have had to solve long ago. One needs to know that injecting raw HTML should only be done when the source of that HTML is trusted or when some filtering is done. It is more difficult than it seems at first to filter out dangerous HTML so most systems do it using a white list of tags, attributes and protocols rather than with a black list. From the top of my head, here are a few possible ways to inject script from HTML:
* Script tag
* Any event attribute (the focus and mouse events are good candidates for an exploit)
* On IE, behaviors in styles are one more way to inject code.
Of course, the multitudes of ways you can encode attributes and urls in HTML and the general forgiveness of the markup make the filtering all the more difficult.
From: security-bounces at openajax.org [mailto:security-bounces at openajax.org] On Behalf Of Jon Ferraiolo
Sent: Friday, July 20, 2007 10:31 AM
To: Gorm Haug Eriksen
Cc: security at openajax.org
Subject: [OpenAjaxSecurity] innerHTML?
I got your note about whether we should say something in the security white paper about innerHTML and code injection risks. I am copying the Security TF to allow the experts to respond.
myElement.innerHTML = textStringFromServer
but if the textStringFromServer looked like this "<script>...</script>" then script would be injected.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the security