- From: Ian Hickson <ian@hixie.ch>
- Date: Thu, 2 Jul 2009 05:18:45 +0000 (UTC)
- To: Henri Sivonen <hsivonen@iki.fi>
- Cc: "public-html@w3.org WG" <public-html@w3.org>
On Mon, 8 Jun 2009, Henri Sivonen wrote: > > The spec allows implementations to place limits on the sizes of various things > in HTML in order to avoid exhausting resources. > > There are various buffers in the HTML5 parser all of which a remote site can > fill arbitrarily much by choosing a suitable input. Has someone already > pondered the security implications of the following strategies? That is, are > either of these safe? > > 1) Truncating a buffer from the end and leaving U+FFFD as the last character > in the buffer. > > 1) Truncating a buffer from the beginning and leaving U+FFFD as the first > character in the buffer. > > (It seems that dropping the buffer entirely is inconvenient e.g. when the > buffer is an element name, although I guess it's an option for attribute > values and element content.) Both options seem reasonable; personally I implemented the former (though if I recall correctly, I used "... truncated", with a space, rather than U+FFFD, since that was it couldn't clash with a non-truncated attribute). -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 2 July 2009 05:19:20 UTC