Ecma262: ignore all inside JS run.Is it feasible?

Created on 28 Dec 2018  路  1Comment  路  Source: tc39/ecma262 
<body>
    <div banScript id="editer">
        <!-- 蹇界暐鍐呴儴js鑴氭湰杩愯闃叉xss -->
        <!-- ignore inside JS run  -->
        <p>
            <img src=a onerror=alert('xss')>
            <script>alert('xss,xss,xss,xss,xss,xss,xss,xss,xss,xss')</script>
        </p>
    </div>
</body>
picture gaoyia

Most helpful comment

This question appears to be about browsers; this repo is for the specification for the javascript language.

I鈥檓 not aware of the ability to ban inline scripts inside a specific element; although CSP can allow you to ban inline scripts on the whole page. You may be looking for https://html.spec.whatwg.org/

picture ljharb on 28 Dec 2018
👍3

>All comments

This question appears to be about browsers; this repo is for the specification for the javascript language.

I鈥檓 not aware of the ability to ban inline scripts inside a specific element; although CSP can allow you to ban inline scripts on the whole page. You may be looking for https://html.spec.whatwg.org/

ljharb picture ljharb on 28 Dec 2018
👍3
Was this page helpful?
0 / 5 - 0 ratings

Related issues

axross picture axross  路  4Comments
ExE-Boss picture ExE-Boss  路  4Comments
bkardell picture bkardell  路  3Comments
michaelficarra picture michaelficarra  路  3Comments
erights picture erights  路  4Comments