Michał Bentkowski

icon indicating a website link https://www.bentkowski.info

icon company Google icon location Information Security Engineer at @Google.

Results 6 comments of Michał Bentkowski

Valid/Invalid characters in document.createElement()

@mfreed7 asked me about my thoughts on security implications of being more lenient in tag names. So here are my two cents. @domenic wrote: > So I guess the relevance...

Valid/Invalid characters in document.createElement()

> I'd quite strongly prefer that no existing HTML/XML meta characters would be newly allowed. E.g. several proposals above allow "

Frida 10.3.0 leads APPs crash on Android 5.1 x86 emulator

I am just bumping the post. I have the same problem on Android x86 emulator. Tested on Android 5.0-7.0. No matter what application I'm trying to hook to, I always...

Consider allowing `innerHTML = ''`

Correct me if I'm wrong but I think we cannot distinguish whether this is a static assignment of an empty string vs. a dynamic assignment of a variable that just...

Can we conditionally enforce Trusted Types based on document response type in XHR?

Even without `responseType` set to `document`, you can still bypass Trusted Types with XHR, by abusing `responseXML`: ```html const xhr = new XMLHttpRequest(); xhr.open("get", "data:text/xml,") xhr.send(); xhr.onload = ev =>...

`disable-output-escaping` is not required in XSLT payload

Even more interesting with noscript: ```html let attackerControlledString = ""; const doc = document.implementation.createHTMLDocument(); const xslt = document.createElementNS("http://www.w3.org/1999/XSL/Transform","xsl:stylesheet"); xslt.setAttribute("xmlns:xsl","http://www.w3.org/1999/XSL/Transform"); const template = document.createElementNS("http://www.w3.org/1999/XSL/Transform","xsl:template"); template.setAttribute("match","/"); const xmp = document.createElement('noscript'); xmp.textContent =...