W3C home > Mailing lists > Public > whatwg@whatwg.org > December 2006

[whatwg] several messages about XML syntax and HTML5

From: Simon Pieters <zcorpan@hotmail.com>
Date: Fri, 08 Dec 2006 22:09:18 +0000
Message-ID: <BAY109-F34BD0432FB12A2A9F6B7F2B4D30@phx.gbl>
Hi,

From: Sander Tekelenburg <tekelenb@euronet.nl>
>Right. That's a window of opportunity (for the sort of attack I mentioned)
>I'm voicing concern about. I agree that it will likely be much harder when
>all browsers are HTML5-compliant and most authors produce HTML5. But before
>that?

Well... for the past 7-8 years it has been possible to use IE's conditional 
comments to completely hide everything from non-IE browsers:

   <!--[if IE]>
    ...page content...
   <![endif]-->

Similarly, bugs in browsers' CSS implementation has made it possible to only 
show the content for a single browser, e.g.:

   body { display:none; }
   * html body { display:block; }

I'm sure you can find bugs or features in every language supported by 
browser vendors that allows for these kinds of attacks, and has been 
possible for years. If it hasn't happened as of now, why do you think it 
will happen in the next few years? Does it matter if it is HTML parsing that 
is exploited or some other technology?

Regards,
Simon Pieters

_________________________________________________________________
J?mf?r priser p? plasmateve http://pricerunner.msn.se/
Received on Friday, 8 December 2006 14:09:18 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:08:31 UTC