W3C home > Mailing lists > Public > whatwg@whatwg.org > June 2004

[whatwg] Web Forms 2.0 comments - [ID] repetition index replacement

From: Ian Hickson <ian@hixie.ch>
Date: Thu, 24 Jun 2004 12:56:45 +0000 (UTC)
Message-ID: <Pine.LNX.4.58.0406241252580.27151@dhalsim.dreamhost.com>
On Tue, 22 Jun 2004, fantasai wrote:
>>
>>>Change the replacement punctuation from "[id]" to "-.id.-" or ":-id-:" or
>>>something like that. This has two advantages:
>>>
>>>   a) The combination of that very unusual punctuation sequence (both
>>>      opening and closing) /and/ an exact match of the template ID is
>>>      going to be so rare as to be practically ignorable.
>>
>> Malicious users could trivially work out the combination that would break
>> this, so I don't think that's a solution to the problem.
>
> Malicious users could trivially use JavaScript to modify the DOM at will
> the way you used it to insert a style sheet into that CSS Test Suite.

Yes but that would only affect them, whereas this particular case can
affect anyone who gets a page that uses a string that came from user
input. For example in a game I could call my empire "[row]" and then if
the empire name is put into any attribute that is part of a repetition
template with id "row", it'll break the game for all users that get that
page (which could be all of them, e.g. if the game is showing logged in
users or something).

Anyway, we solved that for now using the []-prefix label thing.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 24 June 2004 05:56:45 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:58:34 UTC