hixie: Disallow ` in unquoted attribute values. (whatwg r4076) from poot on 2009-10-05 (public-html-diffs@w3.org from October 2009)

From: poot <cvsmail@w3.org>
Date: Mon, 5 Oct 2009 12:22:31 +0900 (JST)
To: public-html-diffs@w3.org
Message-Id: <20091005032231.E46E72BC36@toro.w3.mag.keio.ac.jp>

hixie: Disallow ` in unquoted attribute values. (whatwg r4076)

http://dev.w3.org/cvsweb/html5/spec/Overview.html?r1=1.3237&r2=1.3238&f=h
http://html5.org/tools/web-apps-tracker?from=4075&to=4076

===================================================================
RCS file: /sources/public/html5/spec/Overview.html,v
retrieving revision 1.3237
retrieving revision 1.3238
diff -u -d -r1.3237 -r1.3238
--- Overview.html 5 Oct 2009 02:16:19 -0000 1.3237
+++ Overview.html 5 Oct 2009 03:22:13 -0000 1.3238
@@ -53199,9 +53199,39 @@
     characters</a>, any U+0022 QUOTATION MARK (<code>"</code>)
     characters, U+0027 APOSTROPHE (<code>'</code>) characters,
     U+003D EQUALS SIGN (<code>=</code>) characters, U+003C LESS-THAN
-    SIGN (<code>&lt;</code>) characters, or U+003E GREATER-THAN SIGN
-    (<code>&gt;</code>) characters, and must not be the empty
-    string.</p>
+    SIGN (<code>&lt;</code>) characters, U+003E GREATER-THAN SIGN
+    (<code>&gt;</code>) characters, or U+0060 GRAVE ACCENT (`)
+    characters, and must not be the empty string.</p>
+
+    <!-- The ` character is in this list on a temporary basis, waiting
+         for IE to fix it's parsing bug whereby it treats ` as an
+         attribute value delimiter. Otherwise, escaping software that
+         tries to be clever and not use quotes when it doesn't need to
+         could be tricked by an attacker.
+
+         Posit a site that allows the user to input text that is used
+         verbatim in two attributes, such that the user can set the
+         first attribute's value to:
+
+            `
+
+         ...and the second to:
+
+            ` onload='...payload...' end=x
+
+         ...with the assumption that the site is going to not quote
+         the first one, and quote the second one with double quotes:
+
+            <body title=` class="` onload='...payload...' end=x">
+
+         In IE, this is treated as:
+
+            <body title=' class="'
+                  onload='...payload...'
+                  end='x"'>
+
+    -->
+
 
     <div class="example">
 
@@ -55158,6 +55188,7 @@
 
    <dt>U+003C LESS-THAN SIGN (&lt;)</dt>
    <dt>U+003D EQUALS SIGN (=)</dt>
+   <dt>U+0060 GRAVE ACCENT (`)</dt>
    <dd><a href="#parse-error">Parse error</a>. Treat it as per the "anything else"
    entry below.</dd>
 
@@ -55238,6 +55269,7 @@
    <dt>U+0027 APOSTROPHE (')</dt>
    <dt>U+003C LESS-THAN SIGN (&lt;)</dt>
    <dt>U+003D EQUALS SIGN (=)</dt>
+   <dt>U+0060 GRAVE ACCENT (`)</dt>
    <dd><a href="#parse-error">Parse error</a>. Treat it as per the "anything else"
    entry below.</dd>

Received on Monday, 5 October 2009 03:23:06 UTC