Talk:DOM clobbering

Comments from Maury Markowitz
This is not a full review, but I have some comments for things that I think need to be addressed: Maury Markowitz (talk) 17:07, 4 December 2023 (UTC)
 * in the Vulnerability section, there is no explanation of how this attack works. It does describe how it is set up, by inserting HTML with the same name as a variable. But it is entirely unexplained how one might inject the HTML to do this, nor how this assignment might be used.
 * the Threat model section states that it "depends on the attacker being able to inject potentially benign HTML into a website", but again, fails to mention how this might happen. It also says it is similar to another attack, but the description of that appears to be "getting user to click on an URL", and I'm not sure exactly how this paper is directly related to this topic.
 * I would suggest that History be the first sub-section, as it introduces a number of terms and gives some specific examples.


 * @Maury Markowitz I have tried to address your concerns
 * I've added some context as to how this attack uses the assignment of the variable to influence code execution.
 * I've added a example section to give a small example of how the attack might look like
 * I've updated the threat model to explain how a attack could inject markup into the page, I don't think it is compared to another attack, we just say that the 'threat model' being considered for this attack is similar to that which would be expected in a classical 'web attacker threat model'
 * The paper (Towards a Formal Foundation of Web Security) was one of the first papers to formally define what a 'web attacker threat model' actually is. (which is why it is cited right after the discussion regarding the model). The JSAgents/DOMPurify paper references the model, but does not delve into what it actually is (AFAIR)
 * I've moved the History section to the top.
 * Let me know if you have any other concerns. Sohom (talk) 19:37, 4 December 2023 (UTC)
 * @Maury Markowitz (Friendly re-ping) Let me know if there are any other things that I should address :)
 * Also, just a heads up, I might have some reduced availiability next week for personal reasons :) Sohom (talk) 19:31, 6 December 2023 (UTC)

Excellent update, my issues have been resolved! Maury Markowitz (talk) 17:33, 18 December 2023 (UTC)