Date post: | 06-Jul-2015 |
Category: |
Technology |
Upload: | david-ross |
View: | 2,377 times |
Download: | 1 times |
David RossPrincipal Software Security EngineerTrustworthy Computing SecurityMicrosoft
@NealPoolehttps://t.co/5omk5ec2UD
@kkotowicz@NealPoole @adam_baldwin
difficult
• No independent parsing / context handling
everything else
document.implementation.createHTMLDocument
3. Remove elements / attributes / etc. not explicitly allowed*
* Old (less-performant) approach:Build yet another DOM by copying safe elements / attributes / etc. to a new DOM during tree walk
document.implementation.createHTMLDocument
Must never run script
setAttribute
promises / deferreds
[Demo] [Benchmark]
Options precedence / inheritance rules: (Options specified on target element) > (options specified on sanitize() call) > (default options)
Mario Heiderich @0x6D6172696FJSAgents / IceShield
Gareth Heyes @garethheyesJSLR
Ben LivshitsLoris D’Antoni
FAST
Caja HTML sanitizer
Stefano Di Paola Eduardo ‘Sirdarckcat’ Vela N.
I just presented on HTML sanitization at OWASP AppSec EU 2013. AMA! (self.AMA)
1 Submitted 1 second ago by randomdross
0 comments share