W3C home > Mailing lists > Public > public-html-bugzilla@w3.org > August 2011

[Bug 13586] [html5] Input attributes allow form tampering

From: <bugzilla@jessica.w3.org>
Date: Thu, 04 Aug 2011 00:13:45 +0000
To: public-html-bugzilla@w3.org
Message-Id: <E1QolZJ-0005SJ-Ib@jessica.w3.org>
http://www.w3.org/Bugs/Public/show_bug.cgi?id=13586

Adrian Bateman [MSFT] <adrianba@microsoft.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |adrianba@microsoft.com

--- Comment #2 from Adrian Bateman [MSFT] <adrianba@microsoft.com> 2011-08-04 00:13:44 UTC ---
This is an issue we identified during our security review of HTML5 Forms as we
planned the support that we have included in IE10. We chose not to support the
form attribute for this reason. We were planning to file a Last Call comment of
our own on this issue today.

Reflection of content is pervasive, as we've seen with XSS.  So the question is
 are there pages that reflect content and also have interesting forms on them?
 Sure there are!  Server-side HTML filtering is designed to allow rich HTML
content through but block script.  So it's perfectly reasonable to expect that
with current filters, untrusted content containing <SCRIPT> will get dropped
but a "harmless" <BUTTON> or <INPUT> will not.  Of course the filters can be
modified to account for this, but why set them up to need this change? Not
supporting this feature provides better defense in depth. We didn't find an
overwhelming use case that invalidated this thinking.

-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
Received on Thursday, 4 August 2011 00:13:46 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 16:31:16 UTC