W3C home > Mailing lists > Public > whatwg@whatwg.org > August 2010

[whatwg] base64 entities

From: Kornel Lesiński <kornel@geekhood.net>
Date: Thu, 26 Aug 2010 23:40:06 +0100
Message-ID: <B9C45F6A-FD1B-4F9F-906F-B76020869C40@geekhood.net>
On 26.08.2010, at 23:28, Adam Barth wrote:
>> 
>>>> <script>
>>>> elmt.innerHTML = 'Hi there <?php echo htmlspecialchars($name) ?>.';
>>>> </script>
>>> 
>>> These cases can be secured without any new features in browsers (by
>>> escaping whitespace using numeric entities):
>> 
>> I realized I was wrong about this one. It won't prevent script injection in
>> JS strings (in places where entities are decoded, including <script> in
>> XML), because entity will be changed to plain text before JavaScript is
>> tokenized.
> 
> Indeed.  This is not a feature for XML.  XML won't decode the entity
> at all.  In HTML, <script> doesn't decode entities, so the pattern is
> safe.

Yes, but in that case JS would have to decode the entity on its own. It wouldn't be strictly HTML feature, but also change interpretation of JS string literals. And what if you use this entity outside JS string? In regex literal?

What about onclick="show('&%base64;')"? Should this be left insecure, or should HTML parser have special entity handling for on* attributes? And then what's the meaning of onclick="show('&amp;%base64;')"?

-- 
regards, Kornel
Received on Thursday, 26 August 2010 15:40:06 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:09:00 UTC