- From: Ian Hickson via cvs-syncmail <cvsmail@w3.org>
- Date: Mon, 07 Feb 2011 22:34:47 +0000
- To: public-html-commits@w3.org
Update of /sources/public/html5/spec In directory hutz:/tmp/cvs-serv30961 Modified Files: Overview.html Log Message: Raise the profile of a note to the level of a warning, since what it is talking about could result in XSS. (whatwg r5839) Index: Overview.html =================================================================== RCS file: /sources/public/html5/spec/Overview.html,v retrieving revision 1.4688 retrieving revision 1.4689 diff -u -d -r1.4688 -r1.4689 --- Overview.html 7 Feb 2011 21:41:00 -0000 1.4688 +++ Overview.html 7 Feb 2011 22:34:41 -0000 1.4689 @@ -62575,22 +62575,40 @@ </ol><p class="note">Entity reference nodes are <a href="#entity-references">assumed to be expanded</a> by the user agent, and are therefore not covered in the algorithm above.</p> - <p class="note">It is possible that the output of this algorithm, if + <p class="warning">It is possible that the output of this algorithm, if parsed with an <a href="#html-parser">HTML parser</a>, will not return the - original tree structure. For instance, if a <code><a href="#the-textarea-element">textarea</a></code> - element to which a <code title="">Comment</code> node has been - appended is serialized and the output is then reparsed, the comment - will end up being displayed in the text field. Similarly, if, as a - result of DOM manipulation, an element contains a comment that - contains the literal string "<code title="">--></code>", then - when the result of serializing the element is parsed, the comment - will be truncated at that point and the rest of the comment will be - interpreted as markup. More examples would be making a - <code><a href="#script">script</a></code> element contain a text node with the text string - "<code></script></code>", or having a <code><a href="#the-p-element">p</a></code> element that - contains a <code><a href="#the-ul-element">ul</a></code> element (as the <code><a href="#the-ul-element">ul</a></code> element's - <a href="#syntax-start-tag" title="syntax-start-tag">start tag</a> would imply the end - tag for the <code><a href="#the-p-element">p</a></code>).</p> + original tree structure.</p> + + <div class="example"> + + <p>For instance, if a <code><a href="#the-textarea-element">textarea</a></code> element to which a + <code title="">Comment</code> node has been appended is serialized + and the output is then reparsed, the comment will end up being + displayed in the text field. Similarly, if, as a result of DOM + manipulation, an element contains a comment that contains the + literal string "<code title="">--></code>", then when the result + of serializing the element is parsed, the comment will be truncated + at that point and the rest of the comment will be interpreted as + markup. More examples would be making a <code><a href="#script">script</a></code> element + contain a text node with the text string + "<code></script></code>", or having a <code><a href="#the-p-element">p</a></code> element + that contains a <code><a href="#the-ul-element">ul</a></code> element (as the <code><a href="#the-ul-element">ul</a></code> + element's <a href="#syntax-start-tag" title="syntax-start-tag">start tag</a> would + imply the end tag for the <code><a href="#the-p-element">p</a></code>).</p> + + <p>This can enable cross-site scripting attacks. An example of this + would be a page that lets the user enter some font names that are + then inserted into a CSS <code><a href="#the-style-element">style</a></code> block via the DOM and + which then uses the <code title="dom-innerHTML"><a href="#dom-innerhtml">innerHTML</a></code> + IDL attribute to get the HTML serialization of that + <code><a href="#the-style-element">style</a></code> element: if the user enters + "<code></style><script>attack</script></code>" as a font + name, <code title="dom-innerHTML"><a href="#dom-innerhtml">innerHTML</a></code> will return + markup that, if parsed in a different context, would contain a + <code><a href="#script">script</a></code> node, even though no <code><a href="#script">script</a></code> node + existed in the original DOM.</p> + + </div> <p><dfn id="escapingString">Escaping a string</dfn> (for the purposes of the algorithm above) consists of running the following
Received on Monday, 7 February 2011 22:34:48 UTC