W3C home > Mailing lists > Public > whatwg@whatwg.org > January 2006

[whatwg] comment parsing

From: Lachlan Hunt <lachlan.hunt@lachy.id.au>
Date: Mon, 23 Jan 2006 13:50:28 +1100
Message-ID: <43D44474.3060903@lachy.id.au>
Ian Hickson wrote:
> Imagine that the page contains the following:
> 
>    ...
>    <!--
>      <script> hostileScript(): </script>
>    -->
>    ...
> 
> ...where "hostileScript()" is some script that does something bad.
> 
> A DOS attack on the server could cause the transmitted text to be:
> 
>    ...
>    <!--
>      <script> hostileScript(): </script>
> 
> ...which, if we re-parse the content upon hitting EOF with an open 
> comment, would cause the script to be executed.

I don't understand these security concerns.  How is reparsing it after 
reaching EOF any different from someone writing exactly the same script 
without opening a comment before it?  Won't the script be executed in 
exactly the same way in both cases?

However, don't take this as support for choosing to reparse it, I don't 
like the concept of doing that at all for other reasons, I just don't 
understand this security concern.

-- 
Lachlan Hunt
http://lachy.id.au/
Received on Sunday, 22 January 2006 18:50:28 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 January 2013 18:47:34 GMT