- From: Henri Sivonen <hsivonen@iki.fi>
- Date: Thu, 20 Mar 2008 16:16:23 +0200
- To: HTML WG <public-html@w3.org>
In case reparsing upon EOF inside comment is considered: Reparsing anything upon EOF is bad for security, because stuff that a gatekeeper thought was harmless can turn into a runnable script if an attacker manages to force a premature EOF e.g. by disrupting the network stream. If the spec ends up specifying reparsing anyway, rewinding the byte stream to a particular point is more painful from an implementation perspective than simulating document.write with the decoded characters accumulated in the comment buffer. -- Henri Sivonen hsivonen@iki.fi http://hsivonen.iki.fi/
Received on Thursday, 20 March 2008 14:17:13 UTC