Good API documentation for DOM?
Dave Wichers
I’m doing some security research related to DOM-Based XSS. See: https://www.owasp.org/index.php/DOM_Based_XSS if you aren’t familiar with it.
One of the things I want to figure out is all the methods available in the browser to update the DOM. Is anyone on this list aware of a good set of API documentation for this?
I’ve reviewed the ECMAscript spec, for example, but it covers way more than how to update the DOM, and its not clear which methods could update the DOM with javascript anyway. For example, I couldn’t find document.write() as a method supported by javascript. Maybe that’s a browser specific extension that’s not part of the spec.
It seems to me that having a very clear definition of all the methods that can be used to update the DOM would be useful to the community and I’m surprised that its not already out there. Maybe it is, but I can’t find it.
Any help would be appreciated.
Thanks, Dave
Lindsey Simon
--
You received this message because you are subscribed to the Google Groups "Browserscope" group.
To post to this group, send email to browse...@googlegroups.com.
To unsubscribe from this group, send email to browserscope...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/browserscope?hl=en.
Dave Wichers
I already looked at: http://www.w3.org/TR/DOM-Level-3-Core/ and it didn’t seem to be very complete to me, but maybe it is. My first thing to look for was document.write(), and the above doesn’t seem to indicate there is a write method. Maybe that method is simply an extension to this core that all browsers support but isn’t part of the standard. Or maybe it is defined in the above and I just couldn’t find it.
I looked in: http://www.w3.org/TR/DOM-Level-3-Core/core.html, and http://www.w3.org/TR/DOM-Level-3-Core/ecma-script-binding.html and neither seemed to indicate there was supposed to be a method called write().
So if the above is a subset of the DOM update methods most browsers support today, is it MOST but not all, or is it not even close? And how do I actually determine what extra methods are available beyond what is defined in the DOM-Level-3 core spec?
-Dave
Lindsey Simon
I already looked at: http://www.w3.org/TR/DOM-Level-3-Core/ and it didn’t seem to be very complete to me, but maybe it is. My first thing to look for was document.write(), and the above doesn’t seem to indicate there is a write method. Maybe that method is simply an extension to this core that all browsers support but isn’t part of the standard. Or maybe it is defined in the above and I just couldn’t find it.
I looked in: http://www.w3.org/TR/DOM-Level-3-Core/core.html, and http://www.w3.org/TR/DOM-Level-3-Core/ecma-script-binding.html and neither seemed to indicate there was supposed to be a method called write().
So if the above is a subset of the DOM update methods most browsers support today, is it MOST but not all, or is it not even close? And how do I actually determine what extra methods are available beyond what is defined in the DOM-Level-3 core spec?
Dave Wichers
I don't know who PPK is.
Chris Weber
https://code.google.com/p/domxsswiki/ Not sure how maintained it's been,
but I know Stefano and Mario were doing some work in this area.
On 4/25/2012 4:04 PM, Dave Wichers wrote:
> I don't know who PPK is.
>
> On Apr 25, 2012 6:42 PM, "Lindsey Simon" <els...@gmail.com
>
>
>
> On Wed, Apr 25, 2012 at 2:37 PM, Dave Wichers <dwic...@gmail.com
> <mailto:dwic...@gmail.com>> wrote:
>
> I already looked at: http://www.w3.org/TR/DOM-Level-3-Core/ and
> in the above and I just couldn�t find it.____
>
> __ __
> I looked in: http://www.w3.org/TR/DOM-Level-3-Core/core.html,
> and
> http://www.w3.org/TR/DOM-Level-3-Core/ecma-script-binding.html
> and neither seemed to indicate there was supposed to be a method
>
> __ __
> So if the above is a subset of the DOM update methods most
> browsers support today, is it MOST but not all, or is it not
> even close? And how do I actually determine what extra methods
> are available beyond what is defined in the DOM-Level-3 core
>
> __
>
> I wish I could answer, but alas, I know not.
> You could write PPK maybe? I figure he knows more than most.
>
>
>
> *From:*browse...@googlegroups.com
> <mailto:browse...@googlegroups.com>
> [mailto:browse...@googlegroups.com
> <mailto:browse...@googlegroups.com>] *On Behalf Of *Lindsey Simon
> *Sent:* Wednesday, April 25, 2012 11:36 AM
> *To:* browse...@googlegroups.com
> <mailto:browse...@googlegroups.com>
> *Subject:* Re: [Browserscope] Good API documentation for DOM?____
>
> __ __
>
> __ __
> On Wed, Apr 25, 2012 at 7:06 AM, Dave Wichers
>
> I�m doing some security research related to DOM-Based XSS. See:
> https://www.owasp.org/index.php/DOM_Based_XSS if you aren�t
>
> One of the things I want to figure out is all the methods
> available in the browser to update the DOM. Is anyone on this
>
> ____
>
> I�ve reviewed the ECMAscript spec, for example, but it covers
> methods could update the DOM with javascript anyway. For
> by javascript. Maybe that�s a browser specific extension that�s
> not part of the spec.____
>
> ____
> It seems to me that having a very clear definition of all the
> methods that can be used to update the DOM would be useful to
> Maybe it is, but I can�t find it.____
>
> ____
>
> Any help would be appreciated.____
>
> ____
>
> __ __
> There are the DOM level docs,
> like http://www.w3.org/TR/DOM-Level-3-Core/ but yeah, I looked
> too awhile back and found nothing like a list. One test I've
> always wanted on Browserscope (and maybe this would be something
> There are many tests which cover aspects of the DOM but I'd love
> to see one which goes through known methods, and at a minimum,
> tests for their existence on a node in a browser.. I had this
> fantasy not long ago that such a result set could feed a
> JavaScript linter so that you could inspect some JS code and go
> - aha! your use of method X is known not to work on these
>
> -l____
>
> ____
> --
> You received this message because you are subscribed to the
> Google Groups "Browserscope" group.
> To post to this group, send email to
> browse...@googlegroups.com
> <mailto:browserscope%2Bunsu...@googlegroups.com>.
>
> __ __
> --
> You received this message because you are subscribed to the
> Google Groups "Browserscope" group.
> To post to this group, send email to
> browse...@googlegroups.com
> <mailto:browserscope...@googlegroups.com>.
> --
> You received this message because you are subscribed to the
> Google Groups "Browserscope" group.
> To post to this group, send email to
> browse...@googlegroups.com
> <mailto:browserscope%2Bunsu...@googlegroups.com>.
> http://groups.google.com/group/browserscope?hl=en.
>
>
> --
> You received this message because you are subscribed to the Google
> Groups "Browserscope" group.
> To post to this group, send email to browse...@googlegroups.com
> <mailto:browserscope%2Bunsu...@googlegroups.com>.