If I got a Bitcoin every time some websec folk started a Twitterstorm bashing CSP without proposing a viable alternative, I would be rich.
-
-
Replying to @BRIAN_____ @hillbrad and
You introduce the fragment back to the DOM, triggerring the XSS I guess. Sanitization is missing.
1 reply 0 retweets 1 like -
Replying to @kkotowicz @BRIAN_____ and
it is easier to be insecure than secure. To get security we need to change that.
1 reply 0 retweets 0 likes -
Replying to @slekies @kkotowicz and
we should make insecure things hard/impossible and secure ways easy and convenient.
1 reply 0 retweets 2 likes -
Replying to @slekies @kkotowicz and
remove everything that causes vulns (innerHTML) and provide good alternatives
2 replies 0 retweets 1 like -
Replying to @slekies @kkotowicz and
I vote for an innerHTML with ES6 templates: somediv.setInnerHTML`<b data-x=${x}>${someText}</b>`
3 replies 1 retweet 1 like -
extra bonus: ability to mix the template method with DOM APIs or so
1 reply 0 retweets 0 likes
div.setInnerHTML`<table>${list.map(e=>document.nodeFromTemplate`<td>${e}</td>`)}</table>`
4:42 PM - 5 Oct 2016
0 replies
0 retweets
0 likes
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.