[whatwg] comment parsing

On Mon, 23 Jan 2006, Lachlan Hunt wrote:
> 
> I don't understand these security concerns.  How is reparsing it after
> reaching EOF any different from someone writing exactly the same script
> without opening a comment before it?  Won't the script be executed in exactly
> the same way in both cases?

The difference is that a sanitiser script would notice a <script> element, 
but would not notice the contents of a comment. Comments are considered 
safe, the publisher would not expect the contents of a comment to suddenly 
be invoked.

The comment could be, e.g.:

   <!--

     Let's hope nobody ever manages to sneak this into our site through a 
     cross-site scripting attack!:

        <script> doSomethingEvil(); </script>

     That would be terrible!

     Oh well. There's no way they could aCONNECTION TERMINATED BY PEER

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Sunday, 22 January 2006 19:33:16 UTC