W3C home > Mailing lists > Public > public-html-bugzilla@w3.org > March 2011

[Bug 12398] Tokenizer stuck in ScriptDataDoubleEscapedState

From: <bugzilla@jessica.w3.org>
Date: Wed, 30 Mar 2011 06:17:08 +0000
To: public-html-bugzilla@w3.org
Message-Id: <E1Q4oiK-0004ea-G3@jessica.w3.org>
http://www.w3.org/Bugs/Public/show_bug.cgi?id=12398

--- Comment #3 from Henri Sivonen <hsivonen@iki.fi> 2011-03-30 06:17:07 UTC ---
It's known that there exists some sites on the Web where the spec gets stuck
inside a script. That's the price of never reparsing.

Is this breaking a top site that you have been unable to evangelize?

With Firefox, the script states have been a wild success beyond my
expectations. Exactly one case of site breakage has reached me on b.m.o and
that site was successfully evangelized.

With the data presented so far, I'd WONTFIX this.

To the extent this affects Bugzilla itself, it's a bug in Bugzilla, although I
thought the bug was already fixed in upstream Bugzilla. In general, any Web app
that includes untrusted strings as string literals in inline scripts MUST
escape < as \u003C to be safe. (That's the simplest way to deal with <!--,
<script> and </script> all in one go.)

-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
Received on Wednesday, 30 March 2011 06:17:10 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 March 2011 06:17:10 GMT