- From: Ian Hickson via cvs-syncmail <cvsmail@w3.org>
- Date: Mon, 05 Oct 2009 03:22:16 +0000
- To: public-html-commits@w3.org
Update of /sources/public/html5/spec In directory hutz:/tmp/cvs-serv17071 Modified Files: Overview.html Log Message: Disallow ` in unquoted attribute values. (whatwg r4076) Index: Overview.html =================================================================== RCS file: /sources/public/html5/spec/Overview.html,v retrieving revision 1.3237 retrieving revision 1.3238 diff -u -d -r1.3237 -r1.3238 --- Overview.html 5 Oct 2009 02:16:19 -0000 1.3237 +++ Overview.html 5 Oct 2009 03:22:13 -0000 1.3238 @@ -53199,9 +53199,39 @@ characters</a>, any U+0022 QUOTATION MARK (<code>"</code>) characters, U+0027 APOSTROPHE (<code>'</code>) characters, U+003D EQUALS SIGN (<code>=</code>) characters, U+003C LESS-THAN - SIGN (<code><</code>) characters, or U+003E GREATER-THAN SIGN - (<code>></code>) characters, and must not be the empty - string.</p> + SIGN (<code><</code>) characters, U+003E GREATER-THAN SIGN + (<code>></code>) characters, or U+0060 GRAVE ACCENT (`) + characters, and must not be the empty string.</p> + + <!-- The ` character is in this list on a temporary basis, waiting + for IE to fix it's parsing bug whereby it treats ` as an + attribute value delimiter. Otherwise, escaping software that + tries to be clever and not use quotes when it doesn't need to + could be tricked by an attacker. + + Posit a site that allows the user to input text that is used + verbatim in two attributes, such that the user can set the + first attribute's value to: + + ` + + ...and the second to: + + ` onload='...payload...' end=x + + ...with the assumption that the site is going to not quote + the first one, and quote the second one with double quotes: + + <body title=` class="` onload='...payload...' end=x"> + + In IE, this is treated as: + + <body title=' class="' + onload='...payload...' + end='x"'> + + --> + <div class="example"> @@ -55158,6 +55188,7 @@ <dt>U+003C LESS-THAN SIGN (<)</dt> <dt>U+003D EQUALS SIGN (=)</dt> + <dt>U+0060 GRAVE ACCENT (`)</dt> <dd><a href="#parse-error">Parse error</a>. Treat it as per the "anything else" entry below.</dd> @@ -55238,6 +55269,7 @@ <dt>U+0027 APOSTROPHE (')</dt> <dt>U+003C LESS-THAN SIGN (<)</dt> <dt>U+003D EQUALS SIGN (=)</dt> + <dt>U+0060 GRAVE ACCENT (`)</dt> <dd><a href="#parse-error">Parse error</a>. Treat it as per the "anything else" entry below.</dd>
Received on Monday, 5 October 2009 03:22:20 UTC