Loading ...
Sorry, an error occurred while loading the content.

96Re: ADsafe, Take 6

Expand Messages
  • collin_jackson
    Oct 16, 2007
    • 0 Attachment
      <div x="\"><img onload=alert(42)
      src=http://json.org/img/json160.gif>"></div>

      --- In caplet@yahoogroups.com, "Douglas Crockford" <douglas@...>
      wrote:
      >
      > The next step is to secure HTML fragments. JSLint has an HTML
      fragment
      > option. When used with ADsafe, it will accept a <div> or <iframe>
      and
      > its contents. It will be inspected for XSS attacks and other
      worries.
      >
      > The <div> may contain a <script> that will also be vetted and
      vatted.
      >
      > The biggest open issue is policy on id's of HTML elements. I'll be
      > working with our ad system people to resolve that.
      >
      > Safe HTML makes safe JS look easy. Really easy. Please let me know
      > what XSS attacks get passed.
      >
      > http://www.JSLint.com/
      >
    • Show all 30 messages in this topic