- From: <bugzilla@jessica.w3.org>
- Date: Tue, 15 Oct 2013 11:11:21 +0000
- To: public-html-bugzilla@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=12235 --- Comment #26 from Henri Sivonen <hsivonen@hsivonen.fi> --- (In reply to Aryeh Gregor from comment #20) > (In reply to Carl Smith from comment #17) > > output = '<xmp>'+output+'</xmp>'; // works perfectly > > Only until your output happens to contain the string "</xmp>" (or any > equivalent). Then it will break. If your application accepts untrusted > input, moreover, you've created a very easily exploitable XSS vulnerability. This pretty much sums up why this should remain WONTFIX. -- You are receiving this mail because: You are the QA Contact for the bug.
Received on Tuesday, 15 October 2013 11:11:32 UTC