|
|
|
|
|
|
by bawolff
2115 days ago
|
|
|
Yes, blacklisting html tags instead of whitelisting (or parsing into some abstract form and reserializing) is a world of pain and very hard to get right. Additionally, csp/iframe have a sandbox flag that can prevent navigating the _top target, which may have prevented this exploit assuming it could have been used (dont know what the slack code looks like, maybe there was some reason it wasn't applicable) |
|
|