Re: [whatwg/dom] Valid/Invalid characters in document.createElement() (#849) from securityMB on 2022-04-20 (public-webapps-github@w3.org from April 2022)

From: securityMB <notifications@github.com>
Date: Wed, 20 Apr 2022 03:21:29 -0700
To: whatwg/dom <dom@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/dom/issues/849/1103769262@github.com>

> I'd quite strongly prefer that no existing HTML/XML meta characters would be newly allowed. E.g. several proposals above allow "<" as part of element names, or single quotes.

Even if these characters are allowed, they shouldn't really undermine security, as currently it is also possible to have them in tag names created by HTML parser.

Consider the following example:

```js
const doc = new DOMParser().parseFromString(`<elem<'abc>test`, 'text/html');
const tagName = doc.body.firstChild.tagName;
// tagName is now equal to "ELEM<'ABC"
```

Even if this HTML is serialized and reparsed, the tag would still be reparsed as `ELEM<'ABC`.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/dom/issues/849#issuecomment-1103769262
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/dom/issues/849/1103769262@github.com>

Received on Wednesday, 20 April 2022 10:21:41 UTC