[Webkit-unassigned] [Bug 26825] innerHTML applies meta/link/title tags before getting commited.
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Jun 29 20:44:09 PDT 2009
https://bugs.webkit.org/show_bug.cgi?id=26825
------- Comment #4 from sirdarckcat at gmail.com 2009-06-29 20:44 PDT -------
#3 this can be used to escape a browser-level sandbox.
IE is the only other browser that executes code in "virtual" DOM (before
getting appended to the document)
document.createElement("html").appendChild(document.createElement("script")).text="alert('i
suck')";
This is a particular problem when a script is reconstructing a DOM by scratch.
Greetings!!
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list