Quarantining crap HTML?

David Dorward david at dorward.me.uk
Wed May 22 18:53:02 BST 2013

On 22 May 2013, at 16:29, DAVID HODGKINSON wrote:

> On 21 May 2013, at 13:14, Philip Skinner <me at philip-skinner.co.uk> 
> wrote:
>> You can specify the content of an iframe using a javascript call in 
>> the src:
>> <iframe src="javascript:'<html><body><b>hurrah, another 
>> iframe</b></body></html>';"></iframe>

> Upon sleeping on it, this was the direction I was headed in.
> The problem is the HTML is user-generated and we know where that
> leads.

If I were using that approach, I'd host the HTML on a different domain 
(to use the Same Origin Policy to protect my site against JS attacks 
from the HTML) and cover it with anti-evil HTTP headers (to stop people 
including frame buster scripts).


(Not that that would be the first approach I'd consider, I'd tend 
towards parsing the HTML, running it through a whitelist to determine 
what attributes were acceptable or not and then spitting out something 
valid and non-evil though.)

David Dorward

More information about the london.pm mailing list