W3C home > Mailing lists > Public > public-html-commits@w3.org > October 2009

html5/spec Overview.html,1.3237,1.3238

From: Ian Hickson via cvs-syncmail <cvsmail@w3.org>
Date: Mon, 05 Oct 2009 03:22:16 +0000
To: public-html-commits@w3.org
Message-Id: <E1Mue9Q-0004Rf-Dh@lionel-hutz.w3.org>
Update of /sources/public/html5/spec
In directory hutz:/tmp/cvs-serv17071

Modified Files:
	Overview.html 
Log Message:
Disallow ` in unquoted attribute values. (whatwg r4076)

Index: Overview.html
===================================================================
RCS file: /sources/public/html5/spec/Overview.html,v
retrieving revision 1.3237
retrieving revision 1.3238
diff -u -d -r1.3237 -r1.3238
--- Overview.html	5 Oct 2009 02:16:19 -0000	1.3237
+++ Overview.html	5 Oct 2009 03:22:13 -0000	1.3238
@@ -53199,9 +53199,39 @@
     characters</a>, any U+0022 QUOTATION MARK (<code>"</code>)
     characters, U+0027 APOSTROPHE (<code>'</code>) characters,
     U+003D EQUALS SIGN (<code>=</code>) characters, U+003C LESS-THAN
-    SIGN (<code>&lt;</code>) characters, or U+003E GREATER-THAN SIGN
-    (<code>&gt;</code>) characters, and must not be the empty
-    string.</p>
+    SIGN (<code>&lt;</code>) characters, U+003E GREATER-THAN SIGN
+    (<code>&gt;</code>) characters, or U+0060 GRAVE ACCENT (`)
+    characters, and must not be the empty string.</p>
+
+    <!-- The ` character is in this list on a temporary basis, waiting
+         for IE to fix it's parsing bug whereby it treats ` as an
+         attribute value delimiter. Otherwise, escaping software that
+         tries to be clever and not use quotes when it doesn't need to
+         could be tricked by an attacker.
+
+         Posit a site that allows the user to input text that is used
+         verbatim in two attributes, such that the user can set the
+         first attribute's value to:
+
+            `
+
+         ...and the second to:
+
+            ` onload='...payload...' end=x
+
+         ...with the assumption that the site is going to not quote
+         the first one, and quote the second one with double quotes:
+
+            <body title=` class="` onload='...payload...' end=x">
+
+         In IE, this is treated as:
+
+            <body title=' class="'
+                  onload='...payload...'
+                  end='x"'>
+
+    -->
+
 
     <div class="example">
 
@@ -55158,6 +55188,7 @@
 
    <dt>U+003C LESS-THAN SIGN (&lt;)</dt>
    <dt>U+003D EQUALS SIGN (=)</dt>
+   <dt>U+0060 GRAVE ACCENT (`)</dt>
    <dd><a href="#parse-error">Parse error</a>. Treat it as per the "anything else"
    entry below.</dd>
 
@@ -55238,6 +55269,7 @@
    <dt>U+0027 APOSTROPHE (')</dt>
    <dt>U+003C LESS-THAN SIGN (&lt;)</dt>
    <dt>U+003D EQUALS SIGN (=)</dt>
+   <dt>U+0060 GRAVE ACCENT (`)</dt>
    <dd><a href="#parse-error">Parse error</a>. Treat it as per the "anything else"
    entry below.</dd>
 
Received on Monday, 5 October 2009 03:22:20 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 5 October 2009 03:22:21 GMT