W3C home > Mailing lists > Public > whatwg@whatwg.org > August 2010

[whatwg] base64 entities

From: Adam Barth <w3c@adambarth.com>
Date: Thu, 26 Aug 2010 15:28:57 -0700
Message-ID: <AANLkTimf+75yTrBAcZWerXMBHJHgajxknmtKsD9NjSDx@mail.gmail.com>
2010/8/26 Kornel Lesi?ski <kornel at geekhood.net>:
> On Wed, 25 Aug 2010 22:52:42 +0100, Kornel Lesi?ski <kornel at geekhood.net>
> wrote:
>>> <script>
>>> elmt.innerHTML = 'Hi there <?php echo htmlspecialchars($name) ?>.';
>>> </script>
>>
>> These cases can be secured without any new features in browsers (by
>> escaping whitespace using numeric entities):
>
> I realized I was wrong about this one. It won't prevent script injection in
> JS strings (in places where entities are decoded, including <script> in
> XML), because entity will be changed to plain text before JavaScript is
> tokenized.

Indeed.  This is not a feature for XML.  XML won't decode the entity
at all.  In HTML, <script> doesn't decode entities, so the pattern is
safe.

Adam
Received on Thursday, 26 August 2010 15:28:57 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:09:00 UTC