Re: "/>" (was Re: several messages about New Vocabularies in text/html from Neil Soiffer on 2008-04-03 (public-html@w3.org from April 2008)

From: Neil Soiffer <Neils@dessci.com>
Date: Thu, 3 Apr 2008 08:03:56 -0700
To: "Henri Sivonen" <hsivonen@iki.fi>
Cc: "Bruce Miller" <bruce.miller@nist.gov>, "Simon Pieters" <simonp@opera.com>, "Ian Hickson" <ian@hixie.ch>, "Sam Ruby" <rubys@us.ibm.com>, public-html@w3.org, www-math@w3.org
Message-ID: <d98bce170804030803m53730613p289d54fbf3fddb77@mail.gmail.com>

The web page reference is really useful, thanks.  You didn't mention IE, so
I tried IE7 and got pretty much what you found where it sucked the
"dangerous" into the script.  However, I found that both Opera 9.5beta and
Firefox 2 both treated <script/> as an empty tag, which differs from what
you found.  I'm puzzled why I found a different behavior in Opera, and why
Firefox 2 would differ from FireFox 3.  I don't think this changes the
discussion, but I thought at least getting the facts straight (and on the
record) might be useful in a different context.

Here's what the web page you referenced came up with:

*IE7*
<!DOCTYPE HTML><html>
  <HEAD>
     <SCRIPT> w("Dangerous"); <body></SCRIPT>
  </HEAD>
  <BODY></BODY>
  <META content=FUGCLQURCL name=SKYPE_FRAMEID>
  </html>

*Opera 9.5beta*
<!DOCTYPE HTML><html><HEAD>
    <SCRIPT></SCRIPT>
<BODY></html>

*Firefox 2.0.0.13*
<!DOCTYPE HTML>
<html><head>
   <script></script>
</head><body>w("Dangerous");
</body></html>



On Wed, Apr 2, 2008 at 9:23 AM, Henri Sivonen <hsivonen@iki.fi> wrote:

> On Apr 2, 2008, at 19:13, Bruce Miller wrote:
>
> >
> > Henri Sivonen wrote:
> >
> > > On Apr 2, 2008, at 18:58, Bruce Miller wrote:
> > >
> > > > I'm trying, but I don't get it.
> > > > I guess you're saying that with something like:
> > > > <script/>
> > > >  do_dangerous_stuff();
> > > > </script>
> > > >
> > > Gatekeeper applying the rule "/> always closes" would determine that
> > > do_dangerous_stuff(); is not executable but existing browsers would still
> > > run it. Of course, this is the wrong way to write a gatekeeper. The right
> > > way is *never* to pass through original source but to always run a parser,
> > > followed by sanitizer, followed by serializer. However, we can't expect
> > > people who write gatekeepers to be competent.
> > >
> >
> > Hmm....
> > Can </script> put do_dangerous_stuff(); into a (new) <script>
> > so that "everybody" agrees it's executable?
> >
>
> Not without creating a gatekeeper problem.
>
>  What do current browsers do with:
> > <script/>
> >  do_dangerous_stuff();
> > <body>....
> > ?
> >
>
>
> The <body> tag becomes part of the script but the script doesn't run,
> because EOF is hit before a </script>. (Tried Firefox 3b4, Safari 3.1 and
> Opera 9.5 beta.)
>
>
> http://software.hixie.ch/utilities/js/live-dom-viewer/?%3C!DOCTYPE%20html%3E%0A%3Cscript%2F%3E%0A%20w(%22Dangerous%22)%3B%0A%3Cbody%3E<http://software.hixie.ch/utilities/js/live-dom-viewer/?%3C%21DOCTYPE%20html%3E%0A%3Cscript%2F%3E%0A%20w%28%22Dangerous%22%29%3B%0A%3Cbody%3E>
> ...
>
>
> --
> Henri Sivonen
> hsivonen@iki.fi
> http://hsivonen.iki.fi/
>
>
>

Received on Thursday, 3 April 2008 15:04:41 UTC