W3C home > Mailing lists > Public > whatwg@whatwg.org > September 2009

[whatwg] More prohibited characters for unquoted attributes are needed

From: Aryeh Gregor <Simetrical+w3c@gmail.com>
Date: Mon, 7 Sep 2009 13:45:48 -0400
Message-ID: <7c2a12e20909071045m60b36520s8cf050d8f0e3e8db@mail.gmail.com>
On Mon, Sep 7, 2009 at 1:34 PM, Geoffrey Sneddon
<foolistbar at googlemail.com> wrote:
> Apparently Hixie had previously said he didn't want to change this as it
> will become a non-issue over time. I think it does matter due to the
> security issues it presents in existing UAs. Conforming markup (using
> elements/attributes allowed in HTML 4.01) should not cause JS to execute in
> one browser but not in another.

I agree with you as an author.  I wrote an HTML output function in
MediaWiki assuming that what the standard says is known to be
interoperable, which is apparently wrong.  If I hadn't been keeping up
with HTML 5, I would have introduced an XSS vulnerability because of
some browsers' handling of `.

If the problem will go away with time, then perhaps a later version of
the standard could make such unquoted attributes conforming, once
there's no more problem with them.
Received on Monday, 7 September 2009 10:45:48 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:08:52 UTC