W3C home > Mailing lists > Public > www-html@w3.org > August 2006

Re: Security Markup

From: Orion Adrian <orion.adrian@gmail.com>
Date: Mon, 21 Aug 2006 09:17:51 -0400
Message-ID: <abd6c8010608210617u76504feav298dd513a26d7076@mail.gmail.com>
To: "HTML Mailing List" <www-html@w3.org>

On 8/21/06, Bjoern Hoehrmann <derhoermi@gmx.net> wrote:
> * Orion Adrian wrote:
> >> > <div id="comment123"  nocode="true">
> >>
> >> I'm afraid that this would be too easy to bypass:
> >>
> >> <div id="comment123"  nocode="true">
> >>         $comment
> >> </div>
> >>
> >> $comment = '</div><script ...';
> >
> >Not if you required the comments to be well-formed by themselves.
>
> Here is a "well-formed" comment:
>
>   +ADw-/div+AD4-+ADw-script+AD4-alert('pwnd')+ADw-/script+AD4-...
>
> If the document does not declare an encoding and the comment is placed
> appropriately in the document, this will likely cause IE6 to consider
> the document UTF-7 encoded and the script will be executed. Of course,
> escaping the comment would not protect from this problem either, only
> a proper encoding declaration will.

I'm willing to say that a document must be properly encoded for this
thing to work. Heck, I'm willing to say a document should always be
properly encoded.


-- 

Orion Adrian
Received on Monday, 21 August 2006 13:18:04 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 March 2012 18:16:07 GMT