- From: Ian Hickson <ian@hixie.ch>
- Date: Thu, 24 Jun 2004 12:56:45 +0000 (UTC)
On Tue, 22 Jun 2004, fantasai wrote: >> >>>Change the replacement punctuation from "[id]" to "-.id.-" or ":-id-:" or >>>something like that. This has two advantages: >>> >>> a) The combination of that very unusual punctuation sequence (both >>> opening and closing) /and/ an exact match of the template ID is >>> going to be so rare as to be practically ignorable. >> >> Malicious users could trivially work out the combination that would break >> this, so I don't think that's a solution to the problem. > > Malicious users could trivially use JavaScript to modify the DOM at will > the way you used it to insert a style sheet into that CSS Test Suite. Yes but that would only affect them, whereas this particular case can affect anyone who gets a page that uses a string that came from user input. For example in a game I could call my empire "[row]" and then if the empire name is put into any attribute that is part of a repetition template with id "row", it'll break the game for all users that get that page (which could be all of them, e.g. if the game is showing logged in users or something). Anyway, we solved that for now using the []-prefix label thing. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 24 June 2004 05:56:45 UTC