- From: Liam R E Quin <liam@w3.org>
- Date: Thu, 13 Sep 2012 01:07:11 -0400
- To: James Clark <jjc@jclark.com>
- Cc: public-microxml@w3.org
On Wed, 2012-09-12 at 13:01 +0700, James Clark wrote: [...] > > Is [AVN] really enough of a reason to abandon the XML parser? > I think in some cases it could be. It would allow an attacker to change a > newline to a space (and vice-versa) in an attribute value without affecting > the signature. This could be very significant: imagine if you have some > JavaScript in the attribute value. Funnily enough I brought this up last week when someone wanted to introduce // as comment-to-end-of-line in CSS, and I pointed out the problem if you put it inside an attribute value. However, if the story is that µXML is XML, then it must be OK to process it with XML tools. It might be better to forbid newlines in attributes. Liam -- Liam Quin - XML Activity Lead, W3C, http://www.w3.org/People/Quin/ Pictures from old books: http://fromoldbooks.org/ Co-author, 5th edition of "Beginning XML", Wrox, July 2012. The first person to buy 10,000 printed copies gets lots of books!
Received on Thursday, 13 September 2012 05:07:43 UTC