Insane in the IFRAME -- The case for client-side HTML sanitization

•Download as PPTX, PDF•

3 likes•4,792 views

Server-side HTML sanitization is a familiar web application building block, yet despite years of offensive security research, defensive “sanitizer science” is still a kind of voodoo magic. This talk will make the case that as server-side HTML sanitizers lack the ability to effectively simulate every potential user agent, the client itself is the only party empowered to perform accurate sanitization. We will examine the DOM API primitives required to perform such client-side sanitization and review results and learning from a prototype implementation.

Technology

David Ross
Principal Software Security Engineer
Trustworthy Computing Security
Microsoft

• No independent parsing / context handling

document.implementation.createHTMLDocument

3. Remove elements / attributes / etc. not explicitly allowed*
*Old (less-performant) approach:
Build yet another DOM by copying safe
elements / attributes / etc. to a new
DOM during tree walk

document.implementation.createHTMLDocument
Must never run script

[Demo] [Benchmark]
Options precedence / inheritance rules:
(Options specified on target
element) > (options specified on
sanitize() call) > (default options)

Mario Heiderich @0x6D6172696F
JSAgents / IceShield
Gareth Heyes @garethheyes
JSLR
Ben Livshits
Loris D’Antoni
FAST
Caja HTML sanitizer
Stefano Di Paola Eduardo ‘Sirdarckcat’Vela N.

I just presented on HTML sanitization at OWASP AppSec EU 2013. AMA! (self.AMA)
1 Submitted 1 second ago by randomdross
0 comments share

Similar to Insane in the IFRAME -- The case for client-side HTML sanitization

The talk was held in Mainz at the JAX on April 21, 2016 The language is german. „Software is eating the world“ und das moderne Web hat sicherlich einen sehr großen Anteil daran. Wie könnte aber die nächste Evolutionsstufe im Web aussehen? Ein Kandidat sind hier die Web Components, die einen sehr einfachen Einstieg in die komponentenbasierte Strukturierung von Webanwendungen bieten. Hierbei können auch einzelne Komponenten in bestehende Anwendungen integriert und nachgerüstet werden, ohne dabei das Entwickler-Know-how im konkreten Framework zu verlieren. In diesem Vortrag wird zunächst ein Überblick über den aktuellen Status quo von Web Components gegeben und anschließend beispielhaft gezeigt, wie sich Komponenten in eine bestehende AngularJS-Anwendung integrieren lassen. Ein Ausblick auf Tooling und kommende Features rundet den Vortrag ab.

Web Components mit Polymer und AngularJS 1.x

PatrickHillert

„Software is eating the world“ und das moderne Web hat sicherlich einen sehr großen Anteil daran. Wie könnte aber die nächste Evolutionsstufe im Web aussehen? Ein Kandidat sind hier die Web Components, die einen sehr einfachen Einstieg in die komponentenbasierte Strukturierung von Webanwendungen bieten. Hierbei können auch einzelne Komponenten in bestehende Anwendungen integriert und nachgerüstet werden, ohne dabei das Entwickler-Know-how im konkreten Framework zu verlieren. In diesem Vortrag wird zunächst ein Überblick über den aktuellen Status quo von Web Components gegeben und anschließend beispielhaft gezeigt, wie sich Komponenten in eine bestehende AngularJS-Anwendung integrieren lassen. Ein Ausblick auf Tooling und kommende Features rundet den Vortrag ab. Event: JAX 2016, 21.04.2016 Speaker: Patrick Hillert, inovex GmbH Mehr Tech-Vorträge: https://www.inovex.de/de/content-pool/vortraege/

Web Components mit Polymer und AngularJS 1.x

inovex GmbH

Selenium for-ops

Łukasz Proszek

Standing on the Shoulders of Giants – The Kotti Web Application Framework

Don Disko

Automated JavaScript Deobfuscation - PacSec 2007

Stephan Chenette

Are you securing your microservice architectures by hiding them behind a firewall? That works, but there are better ways to do it. This presentation recommends 11 patterns to secure microservice architectures. 1. Be Secure by Design 2. Scan Dependencies 3. Use HTTPS Everywhere 4. Use Access and Identity Tokens 5. Encrypt and Protect Secrets 6. Verify Security with Delivery Pipelines 7. Slow Down Attackers 8. Use Docker Rootless Mode 9. Use Time-Based Security 10. Scan Docker and Kubernetes Configuration for Vulnerabilities 11. Know Your Cloud and Cluster Security Blog post: https://developer.okta.com/blog/2020/03/23/microservice-security-patterns

Security Patterns for Microservice Architectures - ADTMag Microservices & API...

Matt Raible

Microsoft Security Development Lifecycle

Razi Rais

Stage 1 Tradecraft

matt806068

Building Social Enterprise with Ruby and Salesforce

Raymond Gao

Client-side JavaScript

Lilia Sfaxi

Programmers building apps that work on every device and platform face many challenges. Despite the advances in browsers, tools and specs designed to meet those challenges, HTML is still an extremely limited language for composing complex apps. Web Components solve that problem by letting programmers extend HTML. This session shows how to use Web Components to build modern complex apps with reusable, responsive, framework-agnostic Web Components that can run (almost) everywhere. We'll talk about all the pieces that make this work, including native templates, Shadow DOM, custom elements, and polyfill libraries like polymer and x-tag.

Web components

Noam Kfir

Android Security - Common Security Pitfalls in Android Applications

BlrDroid

Bridging the Gap

Will Schroeder

This talk will review the advanced security features in DataStax Enterprise and discuss best practices for secure deployments. In particular, topics reviewed will cover: Authentication with Kerberos & LDAP/Active Directory, Role-based Authorization and LDAP role assignment, Auditing, Securing network communication, Encrypting data files and using the Key-Management Interoperability Protocol (KMIP) for secure off-host key management. The talk will also suggest strategies for addressing security needs not met directly by the built-in features of the database such as how to address applications that require Attribute Based Access Control (ABAC). About the Speaker Matt Kennedy Sr. Product Manager, DataStax Matt Kennedy works at DataStax as the product manager for DataStax Enterprise Core. Matt has been a Cassandra user and occasional contributor since version 0.7 and was named a Cassandra MVP in 2013 shortly before joining DataStax. Unlike Cassandra, Matt is not partition tolerant.

DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...

DataStax

XCS110_All_Slides.pdf

ssuser01066a

We all know we have Anonymous, LulzSec, and NSA around. With this in mind, isn't it time to think about the security of our systems? Well, of course. In this talk, we'll show how Domain Driven Design is used to counteract security weaknesses without one thinking "security" all the time. So, if you're interested in learning how to design secure software, then this session is for you. Business and technical attacks are two kinds of attacks, where the latter is most famous, e g SQL Injection & XSS. But it doesn't mean business attacks are less harmful. On the contrary, they tend to be extremely sophisticated and powerful as they often leave infrastructure intact without firing alarms. Domain Driven Security is the field that counteracts both categories by using tools and mindsets from DDD.

Domain Driven Security Jfokus 2016

Omegapoint Academy

Security Patterns for Microservice Architectures - London Java Community 2020

Matt Raible

Microsoft Entity Framework

Mahmoud Tolba

If I have to name a single biggest hype in software architecture land then it would be "microservice". They are supposed to be small and focused, can be deployed independently, can work with any technology and will solve all your monolithical problems. But we all know that silver bullets don't exist, plus technology should never be a goal, but merely a means to an end. Nonetheless, following the path towards real microservices is a great strategy for decomposing a monolith without the deployment complexity of the first. So how do you do that? What technologies does the .NET realm offer for us? In this talk, I'll show you some of the pros and cons of micro-services and its ingredients to leverage modern-day .NET and Event Sourcing to move your monolith into a bright new future.

Decomposing the Monolith using modern-day .NET and a touch of microservices

Dennis Doomen

PowerShell-and-DSC-Enables-DSCDevOps-1.pptx

prabhatthunuguntla

Similar to Insane in the IFRAME -- The case for client-side HTML sanitization (20)

Web Components mit Polymer und AngularJS 1.x

Selenium for-ops

Standing on the Shoulders of Giants – The Kotti Web Application Framework

Automated JavaScript Deobfuscation - PacSec 2007

Security Patterns for Microservice Architectures - ADTMag Microservices & API...

Microsoft Security Development Lifecycle

Stage 1 Tradecraft

Building Social Enterprise with Ruby and Salesforce

Client-side JavaScript

Web components

Android Security - Common Security Pitfalls in Android Applications

Bridging the Gap

DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...

XCS110_All_Slides.pdf

Domain Driven Security Jfokus 2016

Security Patterns for Microservice Architectures - London Java Community 2020

Microsoft Entity Framework

Decomposing the Monolith using modern-day .NET and a touch of microservices

PowerShell-and-DSC-Enables-DSCDevOps-1.pptx

Recently uploaded

Dubai, often portrayed as a shimmering oasis in the desert, faces its own set of challenges, including the occasional threat of flooding. Despite its reputation for opulence and modernity, the emirate is not immune to the forces of nature. In recent years, Dubai has experienced sporadic but significant floods, testing the resilience of its infrastructure and communities. Among the critical lifelines in this bustling metropolis is the Dubai International Airport, a bustling hub that connects the city to the world. This article explores the intersection of Dubai flood events and the resilience demonstrated by the Dubai International Airport in the face of such challenges.

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...

Orbitshub

Webinar Recording: https://www.panagenda.com/webinars/why-teams-call-analytics-is-critical-to-your-entire-business Nothing is as frustrating and noticeable as being in an important call and being unable to see or hear the other person. Not surprising then, that issues with Teams calls are among the most common problems users call their helpdesk for. Having in depth insight into everything relevant going on at the user’s device, local network, ISP and Microsoft itself during the call is crucial for good Microsoft Teams Call quality support. To ensure a quick and adequate solution and to ensure your users get the most out of their Microsoft 365. But did you know that ‘bad calls’ are also an excellent indicator of other problems arising? Precisely because it is so noticeable!? Like the canary in the mine, bad calls can be early indicators of problems. Problems that might otherwise not have been noticed for a while but can have a big impact on productivity and satisfaction. Join this session by Christoph Adler to learn how true Microsoft Teams call quality analytics helped other organizations troubleshoot bad calls and identify and fix problems that impacted Teams calls or the use of Microsoft365 in general. See what it can do to keep your users happy and productive! In this session we will cover - Why CQD data alone is not enough to troubleshoot call problems - The importance of attributing call problems to the right call participant - What call quality analytics can do to help you quickly find, fix-, and prevent problems - Why having retrospective detailed insights matters - Real life examples of how others have used Microsoft Teams call quality monitoring to problem shoot problems with their ISP, network, device health and more.

Why Teams call analytics are critical to your entire business

panagenda

💉💊+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHABI}}+971581248768 +971581248768 Mtp-Kit (500MG) Prices » Dubai [(+971581248768**)] Abortion Pills For Sale In Dubai, UAE, Mifepristone and Misoprostol Tablets Available In Dubai, UAE CONTACT DR.Maya Whatsapp +971581248768 We Have Abortion Pills / Cytotec Tablets /Mifegest Kit Available in Dubai, Sharjah, Abudhabi, Ajman, Alain, Fujairah, Ras Al Khaimah, Umm Al Quwain, UAE, Buy cytotec in Dubai +971581248768''''Abortion Pills near me DUBAI | ABU DHABI|UAE. Price of Misoprostol, Cytotec” +971581248768' Dr.DEEM ''BUY ABORTION PILLS MIFEGEST KIT, MISOPROTONE, CYTOTEC PILLS IN DUBAI, ABU DHABI,UAE'' Contact me now via What's App…… abortion Pills Cytotec also available Oman Qatar Doha Saudi Arabia Bahrain Above all, Cytotec Abortion Pills are Available In Dubai / UAE, you will be very happy to do abortion in Dubai we are providing cytotec 200mg abortion pill in Dubai, UAE. Medication abortion offers an alternative to Surgical Abortion for women in the early weeks of pregnancy. We only offer abortion pills from 1 week-6 Months. We then advise you to use surgery if its beyond 6 months. Our Abu Dhabi, Ajman, Al Ain, Dubai, Fujairah, Ras Al Khaimah (RAK), Sharjah, Umm Al Quwain (UAQ) United Arab Emirates Abortion Clinic provides the safest and most advanced techniques for providing non-surgical, medical and surgical abortion methods for early through late second trimester, including the Abortion By Pill Procedure (RU 486, Mifeprex, Mifepristone, early options French Abortion Pill), Tamoxifen, Methotrexate and Cytotec (Misoprostol). The Abu Dhabi, United Arab Emirates Abortion Clinic performs Same Day Abortion Procedure using medications that are taken on the first day of the office visit and will cause the abortion to occur generally within 4 to 6 hours (as early as 30 minutes) for patients who are 3 to 12 weeks pregnant. When Mifepristone and Misoprostol are used, 50% of patients complete in 4 to 6 hours; 75% to 80% in 12 hours; and 90% in 24 hours. We use a regimen that allows for completion without the need for surgery 99% of the time. All advanced second trimester and late term pregnancies at our Tampa clinic (17 to 24 weeks or greater) can be completed within 24 hours or less 99% of the time without the need surgery. The procedure is completed with minimal to no complications. Our Women's Health Center located in Abu Dhabi, United Arab Emirates, uses the latest medications for medical abortions (RU-486, Mifeprex, Mifegyne, Mifepristone, early options French abortion pill), Methotrexate and Cytotec (Misoprostol). The safety standards of our Abu Dhabi, United Arab Emirates Abortion Doctors remain unparalleled. They consistently maintain the lowest complication rates throughout the nation. Our Physicians and staff are always available to answer questions and care for women in one of the most difficult times in their lives. The decision to have an abortion at the Abortion Cl

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@

💥 You’re lucky! We’ve found two different (lead) developers that are willing to share their valuable lessons learned about using UiPath Document Understanding! Based on recent implementations in appealing use cases at Partou and SPIE. Don’t expect fancy videos or slide decks, but real and practical experiences that will help you with your own implementations. 📕 Topics that will be addressed: • Training the ML-model by humans: do or don't? • Rule-based versus AI extractors • Tips for finding use cases • How to start 👨‍🏫👨‍💻 Speakers: o Dion Morskieft, RPA Product Owner @Partou o Jack Klein-Schiphorst, Automation Developer @Tacstone Technology

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam

UiPathCommunity

Scaling API-first – The story of a global engineering organization Ian Reasor, Senior Computer Scientist - Adobe Radu Cotescu, Senior Computer Scientist - Adobe Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

apidays

ICT role in 21st century education and its challenges

rafiqahmad00786416

Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows. We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases. This video focuses on the deployment of external web forms using Jotform for Bonterra Impact Management. This solution can be customized to your organization’s needs and deployed to support the common use cases below: - Intake and consent - Assessments - Surveys - Applications - Program registration Interested in deploying web form automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...

Jeffrey Haguewood

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Juan lago vázquez

Effective data discovery is crucial for maintaining compliance and mitigating risks in today's rapidly evolving privacy landscape. However, traditional manual approaches often struggle to keep pace with the growing volume and complexity of data. Join us for an insightful webinar where industry leaders from TrustArc and Privya will share their expertise on leveraging AI-powered solutions to revolutionize data discovery. You'll learn how to: - Effortlessly maintain a comprehensive, up-to-date data inventory - Harness code scanning insights to gain complete visibility into data flows leveraging the advantages of code scanning over DB scanning - Simplify compliance by leveraging Privya's integration with TrustArc - Implement proven strategies to mitigate third-party risks Our panel of experts will discuss real-world case studies and share practical strategies for overcoming common data discovery challenges. They'll also explore the latest trends and innovations in AI-driven data management, and how these technologies can help organizations stay ahead of the curve in an ever-changing privacy landscape.

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

TrustArc

The value of a flexible API Management solution for Open Banking Steve Melan, Manager for IT Innovation and Architecture - State's and Saving's Bank of Luxembourg Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The value of a flexible API Management solution for O...

apidays

AWS Community Day CPH - Three problems of Terraform

Andrey Devyatkin

Tracing the root cause of a performance issue requires a lot of patience, experience, and focus. It’s so hard that we sometimes attempt to guess by trying out tentative fixes, but that usually results in frustration, messy code, and a considerable waste of time and money. This talk explains how to correctly zoom in on a performance bottleneck using three levels of profiling: distributed tracing, metrics, and method profiling. After we learn to read the JVM profiler output as a flame graph, we explore a series of bottlenecks typical for backend systems, like connection/thread pool starvation, invisible aspects, blocking code, hot CPU methods, lock contention, and Virtual Thread pinning, and we learn to trace them even if they occur in library code you are not familiar with. Attend this talk and prepare for the performance issues that will eventually hit any successful system. About authorWith two decades of experience, Victor is a Java Champion working as a trainer for top companies in Europe. Five thousands developers in 120 companies attended his workshops, so he gets to debate every week the challenges that various projects struggle with. In return, Victor summarizes key points from these workshops in conference talks and online meetups for the European Software Crafters, the world’s largest developer community around architecture, refactoring, and testing. Discover how Victor can help you on victorrentea.ro : company training catalog, consultancy and YouTube playlists.

Finding Java's Hidden Performance Traps @ DevoxxUK 2024

Victor Rentea

Retrieval augmented generation (RAG) is the most popular style of large language model application to emerge from 2023. The most basic style of RAG works by vectorizing your data and injecting it into a vector database like Milvus for retrieval to augment the text output generated by an LLM. This is just the beginning. One of the ways that we can extend RAG, and extend AI, is through multilingual use cases. Typical RAG is done in English using embedding models that are trained in English. In this talk, we’ll explore how RAG could work in languages other than English. We’ll explore French, Chinese, and Polish.

Introduction to Multilingual Retrieval Augmented Generation (RAG)

Zilliz

Vector Search -An Introduction in Oracle Database 23ai.pptx

Remote DBA Services

Understanding the FAA Part 107 License ..

Christopher Logan Kennedy

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

Zilliz

Following the popularity of “Cloud Revolution: Exploring the New Wave of Serverless Spatial Data,” we’re thrilled to announce this much-anticipated encore webinar. In this sequel, we’ll dive deeper into the Cloud-Native realm by uncovering practical applications and FME support for these new formats, including COGs, COPC, FlatGeoBuf, GeoParquet, STAC, and ZARR. Building on the foundation laid by industry leaders Michelle Roby of Radiant Earth and Chris Holmes of Planet in the first webinar, this second part offers an in-depth look at the real-world application and behind-the-scenes dynamics of these cutting-edge formats. We will spotlight specific use-cases and workflows, showcasing their efficiency and relevance in practical scenarios. Discover the vast possibilities each format holds, highlighted through detailed discussions and demonstrations. Our expert speakers will dissect the key aspects and provide critical takeaways for effective use, ensuring attendees leave with a thorough understanding of how to apply these formats in their own projects. Elevate your understanding of how FME supports these cutting-edge technologies, enhancing your ability to manage, share, and analyze spatial data. Whether you’re building on knowledge from our initial session or are new to the serverless spatial data landscape, this webinar is your gateway to mastering cloud-native formats in your workflows.

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Safe Software

MINDCTI Revenue Release Quarter One 2024

MIND CTI

Passkeys: Developing APIs to enable passwordless authentication Cody Salas, Sr Developer Advocate | Solutions Architect - Yubico Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...

apidays

Join our latest Connector Corner webinar to discover how UiPath Integration Service revolutionizes API-centric automation in a 'Quote to Cash' process—and how that automation empowers businesses to accelerate revenue generation. A comprehensive demo will explore connecting systems, GenAI, and people, through powerful pre-built connectors designed to speed process cycle times. Speakers: James Dickson, Senior Software Engineer Charlie Greenberg, Host, Product Marketing Manager

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

DianaGray10

Recently uploaded (20)

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...

Why Teams call analytics are critical to your entire business

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

ICT role in 21st century education and its challenges

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

Apidays New York 2024 - The value of a flexible API Management solution for O...

AWS Community Day CPH - Three problems of Terraform

Finding Java's Hidden Performance Traps @ DevoxxUK 2024

Introduction to Multilingual Retrieval Augmented Generation (RAG)

Vector Search -An Introduction in Oracle Database 23ai.pptx

Understanding the FAA Part 107 License ..

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

MINDCTI Revenue Release Quarter One 2024

Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

Insane in the IFRAME -- The case for client-side HTML sanitization

1. David Ross Principal Software Security Engineer Trustworthy Computing Security Microsoft

2. @randomdross

5. *

6. @NealPoole https://t.co/5omk5ec2UD

8. @kkotowicz @NealPoole @adam_baldwin

9. @sneak_ @superevr

10.

11. difficult

12.

13. • No independent parsing / context handling

14. everything else

15. document.implementation.createHTMLDocument

16. document.createTreeWalker

17. 3. Remove elements / attributes / etc. not explicitly allowed* *Old (less-performant) approach: Build yet another DOM by copying safe elements / attributes / etc. to a new DOM during tree walk

18.

19.

20. document.implementation.createHTMLDocument Must never run script

21.

22. setAttribute

23.

24. promises / deferreds

25.

26.

27.

28. [Demo] [Benchmark] Options precedence / inheritance rules: (Options specified on target element) > (options specified on sanitize() call) > (default options)

29.

30.

31.

32. Mario Heiderich @0x6D6172696F JSAgents / IceShield Gareth Heyes @garethheyes JSLR Ben Livshits Loris D’Antoni FAST Caja HTML sanitizer Stefano Di Paola Eduardo ‘Sirdarckcat’Vela N.

33.

34. I just presented on HTML sanitization at OWASP AppSec EU 2013. AMA! (self.AMA) 1 Submitted 1 second ago by randomdross 0 comments share

Insane in the IFRAME -- The case for client-side HTML sanitization

Recommended

Recommended

More Related Content

Similar to Insane in the IFRAME -- The case for client-side HTML sanitization

Similar to Insane in the IFRAME -- The case for client-side HTML sanitization (20)

Recently uploaded

Recently uploaded (20)

Insane in the IFRAME -- The case for client-side HTML sanitization