W3C home > Mailing lists > Public > public-html@w3.org > March 2009

EOF in start tag

From: Simon Pieters <simonp@opera.com>
Date: Wed, 11 Mar 2009 16:17:12 +0100
To: public-html <public-html@w3.org>
Message-ID: <op.uqmveyrridj3kv@zcorpandell.linkoping.osa>
Consider the following document:

   <body onload="alert(1)

Should the script run? Per HTML5 yes, and it does in Gecko. But we go out of our way to make sure that

   <script>alert(1)

doesn't run. Why should the first case be different?

WebKit seems to drop the element on the floor in case of early EOF. IE and Opera do some reparsing, which is not good because attribute values can suddenly turn into script elements if you get an early EOF:

   <body title="<script>alert(1)</script>


Also consider e.g.

   <iframe src="untrusted" sandbox="">

and you get an EOF before the sandbox attribute.

It seems safer to drop the element on the floor when EOF is found inside a tag.

-- 
Simon Pieters
Opera Software
Received on Wednesday, 11 March 2009 15:17:56 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 29 October 2015 10:15:43 UTC