Michał Bentkowski

icon indicating a website link https://www.bentkowski.info

icon company Google icon location Information Security Engineer at @Google.

Results 20 comments of Michał Bentkowski

Valid/Invalid characters in document.createElement()

@mfreed7 asked me about my thoughts on security implications of being more lenient in tag names. So here are my two cents. @domenic wrote: > So I guess the relevance...

Valid/Invalid characters in document.createElement()

> I'd quite strongly prefer that no existing HTML/XML meta characters would be newly allowed. E.g. several proposals above allow "

Frida 10.3.0 leads APPs crash on Android 5.1 x86 emulator

I am just bumping the post. I have the same problem on Android x86 emulator. Tested on Android 5.0-7.0. No matter what application I'm trying to hook to, I always...

Consider allowing `innerHTML = ''`

Correct me if I'm wrong but I think we cannot distinguish whether this is a static assignment of an empty string vs. a dynamic assignment of a variable that just...

Can we conditionally enforce Trusted Types based on document response type in XHR?

Even without `responseType` set to `document`, you can still bypass Trusted Types with XHR, by abusing `responseXML`: ```html const xhr = new XMLHttpRequest(); xhr.open("get", "data:text/xml,") xhr.send(); xhr.onload = ev =>...

`disable-output-escaping` is not required in XSLT payload

Even more interesting with noscript: ```html let attackerControlledString = ""; const doc = document.implementation.createHTMLDocument(); const xslt = document.createElementNS("http://www.w3.org/1999/XSL/Transform","xsl:stylesheet"); xslt.setAttribute("xmlns:xsl","http://www.w3.org/1999/XSL/Transform"); const template = document.createElementNS("http://www.w3.org/1999/XSL/Transform","xsl:template"); template.setAttribute("match","/"); const xmp = document.createElement('noscript'); xmp.textContent =...

Escape "<" and ">" in attributes

@SelenIT Parsing of `` is actually a spec bug that still works in Safari. Check: https://github.com/whatwg/html/issues/5113 [edit]: But the spec bug isn't the only case in which escaping of ``...

Escape "<" and ">" in attributes

> Do I correctly understand that the proposed change is to only change the to-string serialization format? Exactly. The whole thing is just to encode `` in attributes when serializing...

Escape "<" and ">" in attributes

FYI, an experiment landed in Chrome: https://chromium-review.googlesource.com/c/chromium/src/+/4362958 (it should be available in Canary in a few hours). Currently, it's under [#enable-experimental-web-platform-features](chrome://flags/#enable-experimental-web-platform-features). There's also a use counter `AttributeValueContainsLtOrGt` that hits whenever...

Escape "<" and ">" in attributes

@zcorpan Yes. AFAIR since M113. Still under the #enable-experimental-web-platform-features flag though.