W3C home > Mailing lists > Public > public-html-diffs@w3.org > February 2011

hixie: Raise the profile of a note to the level of a warning, since what it is talking about could result in XSS. (whatwg r5839)

From: poot <cvsmail@w3.org>
Date: Mon, 07 Feb 2011 17:36:58 -0500
To: public-html-diffs@w3.org
Message-Id: <E1PmZha-0006Xv-A9@jay.w3.org>
hixie: Raise the profile of a note to the level of a warning, since what
it is talking about could result in XSS. (whatwg r5839)

http://dev.w3.org/cvsweb/html5/spec/Overview.html?r1=1.4688&r2=1.4689&f=h
http://html5.org/tools/web-apps-tracker?from=5838&to=5839

===================================================================
RCS file: /sources/public/html5/spec/Overview.html,v
retrieving revision 1.4688
retrieving revision 1.4689
diff -u -d -r1.4688 -r1.4689
--- Overview.html	7 Feb 2011 21:41:00 -0000	1.4688
+++ Overview.html	7 Feb 2011 22:34:41 -0000	1.4689
@@ -62575,22 +62575,40 @@
   </ol><p class="note">Entity reference nodes are <a href="#entity-references">assumed to be expanded</a> by the user
   agent, and are therefore not covered in the algorithm above.</p>
 
-  <p class="note">It is possible that the output of this algorithm, if
+  <p class="warning">It is possible that the output of this algorithm, if
   parsed with an <a href="#html-parser">HTML parser</a>, will not return the
-  original tree structure. For instance, if a <code><a href="#the-textarea-element">textarea</a></code>
-  element to which a <code title="">Comment</code> node has been
-  appended is serialized and the output is then reparsed, the comment
-  will end up being displayed in the text field. Similarly, if, as a
-  result of DOM manipulation, an element contains a comment that
-  contains the literal string "<code title="">--&gt;</code>", then
-  when the result of serializing the element is parsed, the comment
-  will be truncated at that point and the rest of the comment will be
-  interpreted as markup. More examples would be making a
-  <code><a href="#script">script</a></code> element contain a text node with the text string
-  "<code>&lt;/script&gt;</code>", or having a <code><a href="#the-p-element">p</a></code> element that
-  contains a <code><a href="#the-ul-element">ul</a></code> element (as the <code><a href="#the-ul-element">ul</a></code> element's
-  <a href="#syntax-start-tag" title="syntax-start-tag">start tag</a> would imply the end
-  tag for the <code><a href="#the-p-element">p</a></code>).</p>
+  original tree structure.</p>
+
+  <div class="example">
+
+   <p>For instance, if a <code><a href="#the-textarea-element">textarea</a></code> element to which a
+   <code title="">Comment</code> node has been appended is serialized
+   and the output is then reparsed, the comment will end up being
+   displayed in the text field. Similarly, if, as a result of DOM
+   manipulation, an element contains a comment that contains the
+   literal string "<code title="">--&gt;</code>", then when the result
+   of serializing the element is parsed, the comment will be truncated
+   at that point and the rest of the comment will be interpreted as
+   markup. More examples would be making a <code><a href="#script">script</a></code> element
+   contain a text node with the text string
+   "<code>&lt;/script&gt;</code>", or having a <code><a href="#the-p-element">p</a></code> element
+   that contains a <code><a href="#the-ul-element">ul</a></code> element (as the <code><a href="#the-ul-element">ul</a></code>
+   element's <a href="#syntax-start-tag" title="syntax-start-tag">start tag</a> would
+   imply the end tag for the <code><a href="#the-p-element">p</a></code>).</p>
+
+   <p>This can enable cross-site scripting attacks. An example of this
+   would be a page that lets the user enter some font names that are
+   then inserted into a CSS <code><a href="#the-style-element">style</a></code> block via the DOM and
+   which then uses the <code title="dom-innerHTML"><a href="#dom-innerhtml">innerHTML</a></code>
+   IDL attribute to get the HTML serialization of that
+   <code><a href="#the-style-element">style</a></code> element: if the user enters
+   "<code>&lt;/style&gt;&lt;script&gt;attack&lt;/script&gt;</code>" as a font
+   name, <code title="dom-innerHTML"><a href="#dom-innerhtml">innerHTML</a></code> will return
+   markup that, if parsed in a different context, would contain a
+   <code><a href="#script">script</a></code> node, even though no <code><a href="#script">script</a></code> node
+   existed in the original DOM.</p>
+
+  </div>
 
   <p><dfn id="escapingString">Escaping a string</dfn> (for the
   purposes of the algorithm above) consists of running the following
Received on Monday, 7 February 2011 22:36:59 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 February 2011 22:37:05 GMT