[whatwg] Web Forms 2.0 comments - [ID] repetition index replacement from fantasai on 2004-06-22 (public-whatwg-archive@w3.org from June 2004)

From: fantasai <fantasai.lists@inkedblade.net>
Date: Tue, 22 Jun 2004 20:15:55 +0200
Message-ID: <40D8775B.2080008@inkedblade.net>

Ian Hickson wrote:
> On Tue, 15 Jun 2004, fantasai wrote:
> 
>>Change the replacement punctuation from "[id]" to "-.id.-" or ":-id-:" or
>>something like that. This has two advantages:
>>
>>   a) The combination of that very unusual punctuation sequence (both
>>      opening and closing) /and/ an exact match of the template ID is
>>      going to be so rare as to be practically ignorable.
> 
> Malicious users could trivially work out the combination that would break
> this, so I don't think that's a solution to the problem.

Malicious users could trivially use JavaScript to modify the DOM at will
the way you used it to insert a style sheet into that CSS Test Suite.
They could do that to any page they wanted, in any element attribute they
wanted, without relying on the author supplying a repeat template *and*
using repetition index replacement in the *value* of a form control, which
itself would not be common. They could fake the form data, they could edit
the HTML doc itself, they could write their own malicious UA -- there are
many, many things malicious users could do for which the server needs to
have some safeguard, and this is the least of them.

The consideration here is accidentally matching the string of code, not
intentionally matching it.

>>   b) ID and NAME attributes using the replacement mechanism can still
>>      be valid.
> 
> That's a good point though. I'm not sure I like "-.id.-" or ":-id-:", or
> ".id:" or "_id-" or other combinations I've looked at, though.
> 
>    name="order-row_"
>    name="order_row-"
>    name="order.row:"
>    name="order:row."
>    name="order-row."
> 
> ...hmm, none of those leap out at me.

I prefer the "use two bits of punctuation symmetrically" approach.
Using just a single one seems unwise; it's much more common.

"-:id:-" looks reasonable, I guess, if you're going for aesthetics.
I picked :-id-: 'coz it would be even rarer, and it does hold together
as a sort of visual box.

<div id="n:-templ-:"/>

~fantasai

-- 
http://fantasai.inkedblade.net/contact

Received on Tuesday, 22 June 2004 11:15:55 UTC