I’m doing some security research related to DOM-Based XSS. See: https://www.owasp.org/index.php/DOM_Based_XSS if you aren’t familiar with it.
One of the things I want to figure out is all the methods available in the browser to update the DOM. Is anyone on this list aware of a good set of API documentation for this?
I’ve reviewed the ECMAscript spec, for example, but it covers way more than how to update the DOM, and its not clear which methods could update the DOM with javascript anyway. For example, I couldn’t find document.write() as a method supported by javascript. Maybe that’s a browser specific extension that’s not part of the spec.
It seems to me that having a very clear definition of all the methods that can be used to update the DOM would be useful to the community and I’m surprised that its not already out there. Maybe it is, but I can’t find it.
Any help would be appreciated.
Thanks, Dave
--
You received this message because you are subscribed to the Google Groups "Browserscope" group.
To post to this group, send email to browse...@googlegroups.com.
To unsubscribe from this group, send email to browserscope...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/browserscope?hl=en.
I already looked at: http://www.w3.org/TR/DOM-Level-3-Core/ and it didn’t seem to be very complete to me, but maybe it is. My first thing to look for was document.write(), and the above doesn’t seem to indicate there is a write method. Maybe that method is simply an extension to this core that all browsers support but isn’t part of the standard. Or maybe it is defined in the above and I just couldn’t find it.
I looked in: http://www.w3.org/TR/DOM-Level-3-Core/core.html, and http://www.w3.org/TR/DOM-Level-3-Core/ecma-script-binding.html and neither seemed to indicate there was supposed to be a method called write().
So if the above is a subset of the DOM update methods most browsers support today, is it MOST but not all, or is it not even close? And how do I actually determine what extra methods are available beyond what is defined in the DOM-Level-3 core spec?
-Dave
I already looked at: http://www.w3.org/TR/DOM-Level-3-Core/ and it didn’t seem to be very complete to me, but maybe it is. My first thing to look for was document.write(), and the above doesn’t seem to indicate there is a write method. Maybe that method is simply an extension to this core that all browsers support but isn’t part of the standard. Or maybe it is defined in the above and I just couldn’t find it.
I looked in: http://www.w3.org/TR/DOM-Level-3-Core/core.html, and http://www.w3.org/TR/DOM-Level-3-Core/ecma-script-binding.html and neither seemed to indicate there was supposed to be a method called write().
So if the above is a subset of the DOM update methods most browsers support today, is it MOST but not all, or is it not even close? And how do I actually determine what extra methods are available beyond what is defined in the DOM-Level-3 core spec?
I don't know who PPK is.