On Sun, Nov 10, 2002 at 04:21:41AM +0100, Ulf Harnhammar wrote: > On Thu, 7 Nov 2002, Justin King wrote: > > > I would be very interested in major browsers supporting a <dead> tag with an > > optional parameter to be a hash of the data between the opening and closing > > dead tag. This tag would indicate that no "live" elements of HTML be > > supported (e.g., JavaScript, VBScript, embed, object). > > I'm not sure if that's the best solution. Lots of code out there do much > less filtering than it should, so there will probably be a way to include > a </dead> tag and then use all the usual XSS tricks. Amending Justin's suggestion to _require_ a parameter would likely be sufficient: <dead uniq="7f7a2eb8d3adde08f37f22645cb2853e"> [insert nasty javascript, XSS, etc] </dead uniq="7f7a2eb8d3adde08f37f22645cb2853e"> If the two tags don't match, the browser continues to enforce the 'dead' sections of code. Any browser supporting such a dead tag could similarly require the matching uniqueness tag -- since we are inventing such a tag, browsers implementing it have a chance to get it correct. :) (Of course, any content that supplies static tags is doomed -- the uniquness tags need to be random enough to prevent guessing by a dedicated attacker -- or at least sufficiently random to require attackers to be dedicated.) -- http://immunix.org/
This archive was generated by hypermail 2b30 : Thu Nov 14 2002 - 18:03:22 PST