Insane in the IFRAME -- The case for client-side HTML sanitization
-
Upload
david-ross -
Category
Technology
-
view
2.378 -
download
1
description
Transcript of Insane in the IFRAME -- The case for client-side HTML sanitization
David RossPrincipal Software Security EngineerTrustworthy Computing SecurityMicrosoft
@NealPoolehttps://t.co/5omk5ec2UD
@kkotowicz@NealPoole @adam_baldwin
difficult
• No independent parsing / context handling
everything else
document.implementation.createHTMLDocument
document.createTreeWalker
3. Remove elements / attributes / etc. not explicitly allowed*
* Old (less-performant) approach:Build yet another DOM by copying safe elements / attributes / etc. to a new DOM during tree walk
document.implementation.createHTMLDocument
Must never run script
setAttribute
promises / deferreds
[Demo] [Benchmark]
Options precedence / inheritance rules: (Options specified on target element) > (options specified on sanitize() call) > (default options)
Mario Heiderich @0x6D6172696FJSAgents / IceShield
Gareth Heyes @garethheyesJSLR
Ben LivshitsLoris D’Antoni
FAST
Caja HTML sanitizer
Stefano Di Paola Eduardo ‘Sirdarckcat’ Vela N.
I just presented on HTML sanitization at OWASP AppSec EU 2013. AMA! (self.AMA)
1 Submitted 1 second ago by randomdross
0 comments share