- From: Anne van Kesteren <notifications@github.com>
- Date: Thu, 07 Apr 2022 05:54:24 -0700
- To: whatwg/dom <dom@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 7 April 2022 12:54:35 UTC
For clarity, I was asked to write down https://github.com/whatwg/dom/issues/849#issuecomment-1058064183 a bit more formally. I still think that idea is reasonable as although I agree we do not defend against reparsing attacks, it still seems good to not introduce novel reparsing attacks. Using [XML EBNF's notation](https://www.w3.org/TR/xml/#sec-notation): ```ebnf NewCreateElementName ::= HTMLParserCompatibleName | CreateElementCompatibleName HTMLParserCompatibleName ::= [a-zA-Z] [^#x00#x09#x0A#0xCx0D#x20/>]* CreateElementCompatibleName ::= CreateElementCompatibleNameStartChar (CreateElementCompatibleNameChar)* CreateElementCompatibleNameStartChar ::= ":" | "_" | [#x80-#x10FFFF] CreateElementCompatibleNameChar ::= CreateElementCompatibleNameStartChar | [a-zA-Z] | "-" | "." | [0-9] ``` (I would be okay with attempting to ban surrogates, but it feels a bit murky given that you can create elements in the HTML parser that contain them still. I'd be more comfortable closing that hole if we closed it there at the same time.) -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/dom/issues/849#issuecomment-1091699961 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/dom/issues/849/1091699961@github.com>
Received on Thursday, 7 April 2022 12:54:35 UTC