W3C home > Mailing lists > Public > public-html-bugzilla@w3.org > October 2013

[Bug 12235] Make <xmp> conforming

From: <bugzilla@jessica.w3.org>
Date: Tue, 15 Oct 2013 11:11:21 +0000
To: public-html-bugzilla@w3.org
Message-ID: <bug-12235-2486-lWYPPSLcyy@http.www.w3.org/Bugs/Public/>
https://www.w3.org/Bugs/Public/show_bug.cgi?id=12235

--- Comment #26 from Henri Sivonen <hsivonen@hsivonen.fi> ---
(In reply to Aryeh Gregor from comment #20)
> (In reply to Carl Smith from comment #17)
> > output = '<xmp>'+output+'</xmp>'; // works perfectly
> 
> Only until your output happens to contain the string "</xmp>" (or any
> equivalent).  Then it will break.  If your application accepts untrusted
> input, moreover, you've created a very easily exploitable XSS vulnerability.

This pretty much sums up why this should remain WONTFIX.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
Received on Tuesday, 15 October 2013 11:11:32 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 16:31:44 UTC