XHTML 1.1 validation accepts additional content

Hello W3C Mailing List,

Firstly, please continue with your excellent work to improve web standards. With that said, please consider my concerns that there could be an exploitable problem with the latest version of the on-line validator which could cause an unscrupulous website to create a link to the Markup Validation Service. Validator results could be crafted to display misleading content.

The problem is much simpler than the solution, but to illustrate my point I have created a screenshot of a page that I had modified to describe my findings visually. That page is no longer on-line, as I am sure that you do not need to view it to see the problem.

The screenshot I have prepared is located here:
http://img66.imageshack.us/img66/2162/w3cinfectedqg4.png

As mentioned, it is extremely easy to do this and I am concerned that it could be a potential embarrassment, in the very least, to the fine work that the W3C does. It could be used for Spamming, pointing to malicious code and other nefarious practices.

In my simple example, the user clicks on a link that validates a purposefully crafted page and displays (with light font on a reddish background) "IMPORTANT THE W3C SITE HAS DETERMINED THAT YOUR COMPUTER IS INFECTED VISIT INFECTIONKILLER.COM TO FIX IT RIGHT AWAY"

[ INFECTIONKILLER.COM does not currently exist in the DNS and is only an example. ]

This is done by modifying the DTD to include that text and closing an img tag improperly (for example), so as to invoke the reddish background when the page is validated. How it is done is readily ascertainable if you view my screenshot at the above link.

I am not a member of the mailing list, and vigorous searches did not reveal any related topics that I am aware of. I am only available at the email account from which this email was sent.

Please inform me if this matter has been reported before.

Thank you all very much for your dedication and hard work.

Received on Monday, 3 September 2007 16:34:47 UTC