So how bad this kind of attack can be, even though this doesn't have access to the current DOM elements?
It's worse than the rather limited examples in the linked article: in Firefox and Opera, data:
URIs do operate in the same security context as the document that includes them, and so can access DOM elements in your domain. This doesn't happen in Chrome/Safari, or IE9 (which deliberately has only partial support for data:
URIs).
In the case where HTML documents can be included, this delivers all the same risks as conventional XSS. That's primarily frames and links, but other attacks are possible(*).
example: http://jsbin.com/ukoqot/2/ - creates a link and an iframe, injecting the HTML document you type into data: URLs in both. Code in the linked/framed document picks up the security context of jsbin.com, allowing it to alert the source code of the jsbin index page.
Consequently you should consider data:
URIs to be just as risky as javascript:
URIs, and disallow them everywhere your webapp permits URIs to be submitted. (Really, whitelisting known-good URI schemes to stick to a limited selection such as http
/https
is best.)
(*: For example: put an attacker-submitted data:text/html...
URI in an <img src>
and the image won't work. But if the user can be duped into right-click-view-image, they'd load the resource as HTML, resulting in XSS.)