Hacker Times
new
|
past
|
comments
|
ask
|
show
|
jobs
|
submit
login
ZoFreX
on March 9, 2013
|
parent
|
context
|
favorite
| on:
Hacking Github with Webkit
What about only letting users customise CSS and HTML? Can that be secure?
homakov
on March 9, 2013
[–]
JS CSS HTML are very mixed in each other. It is
very
hard to allow only CSS/HTML.
Jabbles
on March 9, 2013
|
parent
|
next
[–]
May I recommend
https://js-quasis-libraries-and-repl.googlecode.com/svn/trun...
as a good read. It examines a system that can safely escape content based on its context, and forms the basis of one of the template packages of Go.
homakov
on March 9, 2013
|
root
|
parent
|
next
[–]
btw <meta http-equiv=Set-Cookie> may behave same way!
ZoFreX
on March 9, 2013
|
root
|
parent
|
prev
|
next
[–]
Thanks for the rec, this looks really good! Reminds me a lot of XHP.
homakov
on March 9, 2013
|
root
|
parent
|
prev
|
next
[–]
best xss protection -
http://homakov.blogspot.com/2013/02/pagebox-website-gatekeep...
ZoFreX
on March 9, 2013
|
parent
|
prev
[–]
Alright... what if they could only change the CSS, and not the HTML and JS? (Obviously not a solution for Github pages, but workable in some scenarios)
eli
on March 9, 2013
|
root
|
parent
[–]
Still sounds dangerous to me. It's possible to execute code from CSS!
https://code.google.com/p/browsersec/wiki/Part1#Cascading_st...
Guidelines
|
FAQ
|
Lists
|
API
|
Security
|
Legal
|
Apply to YC
|
Contact
Search:
