In case reparsing upon EOF inside comment is considered: Reparsing anything upon EOF is bad for security, because stuff that a gatekeeper thought was harmless can turn into a runnable script if an attacker manages to force a premature EOF e.g. by disrupting the network stream. If the spec ends up specifying reparsing anyway, rewinding the byte stream to a particular point is more painful from an implementation perspective than simulating document.write with the decoded characters accumulated in the comment buffer. -- Henri Sivonen hsivonen@iki.fi http://hsivonen.iki.fi/Received on Thursday, 20 March 2008 14:17:13 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:40:09 GMT