[Bug 11668] Make the following note into a security warning: "It is possible that the output of this algorithm, if parsed with an HTML parser, will not return the original tree structure." and add an example of an attack (ack Eduardo Vela Nava) from bugzilla@jessica.w3.org on 2011-01-04 (public-html-bugzilla@w3.org from January 2011)

From: <bugzilla@jessica.w3.org>
Date: Tue, 04 Jan 2011 22:00:24 +0000
To: public-html-bugzilla@w3.org
Message-Id: <E1PaEvY-0002xT-TM@jessica.w3.org>

http://www.w3.org/Bugs/Public/show_bug.cgi?id=11668

Ian 'Hixie' Hickson <ian@hixie.ch> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED

--- Comment #1 from Ian 'Hixie' Hickson <ian@hixie.ch> 2011-01-04 22:00:24 UTC ---
An example would be a page that lets the user enter some font names that are
then inserted into a CSS <style> block via the DOM and which then uses
innerHTML to get the HTML serialisation of that <style> block. If the user
enters "</style><script>attack</script>" as a font name, innerHTML will return
markup that contains a <script> node, even though no <script> node existed in
the original DOM.

-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.

Received on Tuesday, 4 January 2011 22:00:27 UTC