nette.ajax.js icon indicating copy to clipboard operation
nette.ajax.js copied to clipboard
verified publisher icon vojtech-dobes

Defense against Mutation XSS attacks [WIP]

Open vojtech-dobes opened this issue 11 years ago • 0 comments

Fixes #88. Work in progress.

/cc @mishak87: is this correct approach? If this is correct implementation of TrueHTML, then 2 points must be resolved:

  • [ ] TrueHTML cannot be used if Object.defineProperty is not available (or broken in IE8) OR XmlSerializer isn't available
  • [ ] if TrueHTML cannot be used:
    • [ ] 1. HTML must be sanitized in different way
    • [ ] 2. nette.ajax.js will refuse to update snippet
    • [ ] 3. nette.ajax.js will update snippet but scream about security hole

vojtech-dobes avatar May 24 '14 13:05 vojtech-dobes