DOMPurify, Security in the DOM, and Why We Really Need Both [pdf]

(www.usenix.org)

72 points _vvhw | 1 comments | 25 Sep 19 08:42 UTC | HN request time: 0.209s | source

Show context

zawerf ◴[25 Sep 19 10:30 UTC] No.21069377[source]▶

I am always irrationally(?) scared of using these sanitizers despite their successful history. As soon as new html/js/css syntax/features are introduced, won't your security model need to be reevaluated? Which seems like a lost cause at the rate new capabilities are introduced to the web. E.g., when CSS Shaders lands, you might be able to execute arbitrary gpu code with just css (hypothetically speaking, I don't actually know how it will work. I am sure it'll be sandboxed pretty well. But the problem remains that there are too many new possibilities to keep up with!).

replies(4): >>21069454 #>>21069510 #>>21069644 #>>21071017 #

nullandvoid ◴[25 Sep 19 14:20 UTC] No.21071017[source]▶

>>21069377 #

Isn't that like saying there's no point in using an anti virus as viruses are always evolving?

You're still catching entire classes of existing issues..

replies(3): >>21071586 #>>21071903 #>>21072437 #

1. hannob ◴[25 Sep 19 15:19 UTC] No.21071586[source]▶

>>21071017 #

> Isn't that like saying there's no point in using an anti virus as viruses are always evolving?

You're very close to understanding something.

(Though in defense of DOM purifiers they can use a whitelist)

↑