W3C home > Mailing lists > Public > www-html@w3.org > August 2006

Re: Security Markup

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Mon, 21 Aug 2006 15:11:55 +0200
To: "Orion Adrian" <orion.adrian@gmail.com>
Cc: "HTML Mailing List" <www-html@w3.org>
Message-ID: <9hbje2tkm5sdadpq25rn3ptik2pesrge8g@hive.bjoern.hoehrmann.de> 

* Orion Adrian wrote:
>> > <div id="comment123"  nocode="true">
>>
>> I'm afraid that this would be too easy to bypass:
>>
>> <div id="comment123"  nocode="true">
>>         $comment
>> </div>
>>
>> $comment = '</div><script ...';
>
>Not if you required the comments to be well-formed by themselves.

Here is a "well-formed" comment:

  +ADw-/div+AD4-+ADw-script+AD4-alert('pwnd')+ADw-/script+AD4-...

If the document does not declare an encoding and the comment is placed
appropriately in the document, this will likely cause IE6 to consider
the document UTF-7 encoded and the script will be executed. Of course,
escaping the comment would not protect from this problem either, only
a proper encoding declaration will.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Weinh. Str. 22 · Telefon: +49(0)621/4309674 · http://www.bjoernsworld.de
68309 Mannheim · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
Received on Monday, 21 August 2006 13:38:49 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 July 2008 07:54:34 GMT