- From: Ian Hickson <ian@hixie.ch>
- Date: Tue, 2 Aug 2011 21:50:59 +0000 (UTC)
- To: Philippe De Ryck <philippe.deryck@cs.kuleuven.be>
- cc: public-html-comments@w3.org
On Tue, 2 Aug 2011, Philippe De Ryck wrote: > > The new form attributes, which can be used with submit buttons, can make > it difficult for a user to distinguish the form that is being submitted. > This can be used by an adversary to trick the user into submitting a > form, such as an autocompleted login form. Even though this attack was > already possible with JavaScript enabled, this new vector does not > depend on scripts. Additionally, it is possible that current content > validation filters do not yet prevent against button injection. Surely this was already possible by just injecting </form><form action...> in the same place as the button would be inserted today? > Alternatively, if changing the specification is not possible, developers > should be warned about this attack vector, so they can update their > content filters. Filters must be written using whitelists. A filter written using a blacklist is essentially worthless. A whitelist filter would not be affected by this or many other additions to HTML. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 2 August 2011 21:51:21 UTC