Re: [whatwg/dom] Allow more characters in element/attribute names and prefixes (PR #1079)

mfreed7 left a comment (whatwg/dom#1079)


> * This does not disallow lone surrogates, the Unicode replacement character U+FFFD, single quotes, or < in any position, because the HTML parser allows introducing those already and it seems nicer to align.

As I was reviewing a Chromium CL that goes along with this PR, I became more worried about allowing `<` in a lot of places. This comment mentions that this was discussed and concluded - could you point me to that discussion? I'd like to (re-)read it.

My general concern is that allowing `<` would seem to cause trouble for things that are scanning for dangerous strings. E.g. `<<script>`  is now an element with tagname `<script`. Won't this potentially create bad situations somewhere? E.g. sanitizers? I can't immediately put my finger on the exact exploit, but it certainly feels like there must be one in there somewhere...

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/dom/pull/1079#issuecomment-2902252834
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/dom/pull/1079/c2902252834@github.com>

Received on Thursday, 22 May 2025 18:56:07 UTC