Name: Insane in the IFRAME -- The case for client-side HTML sanitization
Start: 2013-08-23T11:15:00+0200
End: 2013-08-23T12:00:00+0200

Welcome to the full schedule of the OWASP AppSec Research EU 2013 conference days. You’ll find the schedule for the training days at http://trainings2013.appsec.eu

Back To Schedule

Insane in the IFRAME -- The case for client-side HTML sanitization

Server-side HTML sanitization is a familiar web application building block, yet despite years of offensive security research, defensive “sanitizer science” is still a kind of voodoo magic. This talk will make the case that as server-side HTML sanitizers lack the ability to effectively simulate every potential user agent, the client itself is the only party empowered to perform accurate sanitization. We will examine the DOM API primitives required to perform such client-side sanitization and review results and learning from a prototype implementation.

Bio:
David Ross is a Principal Security Software Engineer on the MSRC Engineering team at Microsoft. Prior to joining MSRC Engineering in 2002, Ross spent his formative years on the Internet Explorer Security Team.

Speakers

David Ross

Microsoft

David Ross is a Principal Security Software Engineer on the MSRC Engineering team at Microsoft. Prior to joining MSRC Engineering in 2002, Ross spent his formative years on the Internet Explorer Security Team.

Friday August 23, 2013 11:15am - 12:00pm CEST
Großer Saal

AppSec Talk

OWASP AppSec Research 2013

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

David Ross