html5/spec Overview.html,1.5474,1.5475 from Ian Hickson via cvs-syncmail on 2011-12-16 (public-html-commits@w3.org from December 2011)

From: Ian Hickson via cvs-syncmail <cvsmail@w3.org>
Date: Fri, 16 Dec 2011 00:32:45 +0000
To: public-html-commits@w3.org
Message-Id: <E1RbLjB-0002zr-Cu@lionel-hutz.w3.org>
Update of /sources/public/html5/spec
In directory hutz:/tmp/cvs-serv11505

Modified Files:
	Overview.html 
Log Message:
Mention some XSS risks explicitly. (whatwg r6875)

Index: Overview.html
===================================================================
RCS file: /sources/public/html5/spec/Overview.html,v
retrieving revision 1.5474
retrieving revision 1.5475
diff -u -d -r1.5474 -r1.5475
--- Overview.html	15 Dec 2011 00:44:25 -0000	1.5474
+++ Overview.html	16 Dec 2011 00:32:40 -0000	1.5475
@@ -320,7 +320,7 @@
 
    <h1>HTML5</h1>
    <h2 class="no-num no-toc" id="a-vocabulary-and-associated-apis-for-html-and-xhtml">A vocabulary and associated APIs for HTML and XHTML</h2>
-   <h2 class="no-num no-toc" id="editor-s-draft-15-december-2011">Editor's Draft 15 December 2011</h2>
+   <h2 class="no-num no-toc" id="editor-s-draft-16-december-2011">Editor's Draft 16 December 2011</h2>
    <dl><dt>Latest Published Version:</dt>
     <dd><a href="http://www.w3.org/TR/html5/">http://www.w3.org/TR/html5/</a></dd>
     <dt>Latest Editor's Draft:</dt>
@@ -467,7 +467,7 @@
   Group</a> is the W3C working group responsible for this
   specification's progress along the W3C Recommendation
   track.
-  This specification is the 15 December 2011 Editor's Draft.
+  This specification is the 16 December 2011 Editor's Draft.
   </p><!-- UNDER NO CIRCUMSTANCES IS THE PRECEDING PARAGRAPH TO BE REMOVED OR EDITED WITHOUT TALKING TO IAN FIRST --><p>Work on this specification is also done at the <a href="http://www.whatwg.org/">WHATWG</a>. The W3C HTML working group
   actively pursues convergence with the WHATWG, as required by the <a href="http://www.w3.org/2007/03/HTML-WG-charter">W3C HTML working
   group charter</a>.</p><!-- UNDER NO CIRCUMSTANCES IS THE FOLLOWING PARAGRAPH TO BE REMOVED OR EDITED WITHOUT TALKING TO IAN FIRST --><p>This document was produced by a group operating under the <a href="http://www.w3.org/Consortium/Patent-Policy-20040205/">5
@@ -1789,7 +1789,27 @@
 
     </div>
 
-   </dd>
+    <p>There are many constructs that can be used to try to trick a
+    site into executing code. Here are some that authors are
+    encouraged to consider when writing whitelist filters:</p>
+
+    <ul><li>When allowing harmless-seeming elements like
+     <code><a href="#the-img-element">img</a></code>, it is important to whitelist any provided
+     attributes as well. If one allowed all attributes then an
+     attacker could, for instance, use the <code title="handler-onload"><a href="#handler-onload">onload</a></code> attribute to run arbitrary
+     script.</li>
+
+     <li>When allowing URLs to be provided (e.g. for links), the
+     scheme of each URL also needs to be explicitly whitelisted, as
+     there are many schemes that can be abused. The most prominent
+     example is "<code agents="" but="" can="" have="" historically="" implement="" implemented="" indeed="" others="" title="javascript:</code>" user=""> 
+
+     <li>Allowing a <code><a href="#the-base-element">base</a></code> element to be inserted means any
+     <code><a href="#the-script-element">script</a></code> elements in the page with relative links can
+     be hijacked, and similarly that any form submissions can get
+     redirected to a hostile site.</li>
+
+    </code></ul></dd>
 
 
    <dt>Cross-site request forgery (CSRF)</dt>
Received on Friday, 16 December 2011 00:32:52 UTC