On Sun, Nov 10, 2002 at 04:21:41AM +0100, Ulf Harnhammar wrote:
> On Thu, 7 Nov 2002, Justin King wrote:
>
> > I would be very interested in major browsers supporting a <dead> tag with an
> > optional parameter to be a hash of the data between the opening and closing
> > dead tag. This tag would indicate that no "live" elements of HTML be
> > supported (e.g., JavaScript, VBScript, embed, object).
>
> I'm not sure if that's the best solution. Lots of code out there do much
> less filtering than it should, so there will probably be a way to include
> a </dead> tag and then use all the usual XSS tricks.

Amending Justin's suggestion to _require_ a parameter would likely be
sufficient:

<dead uniq="7f7a2eb8d3adde08f37f22645cb2853e">
[insert nasty javascript, XSS, etc]
</dead uniq="7f7a2eb8d3adde08f37f22645cb2853e">

If the two tags don't match, the browser continues to enforce the 'dead'
sections of code. Any browser supporting such a dead tag could similarly
require the matching uniqueness tag -- since we are inventing such a tag,
browsers implementing it have a chance to get it correct. :)

(Of course, any content that supplies static tags is doomed -- the
uniquness tags need to be random enough to prevent guessing by a
dedicated attacker -- or at least sufficiently random to require
attackers to be dedicated.)

--
http://immunix.org/

[ reply ]