W3C home > Mailing lists > Public > whatwg@whatwg.org > January 2006

[whatwg] comment parsing

From: Daniel Veditz <dveditz@cruzio.com>
Date: Sun, 22 Jan 2006 19:21:04 -0800
Message-ID: <43D44BA0.7040903@cruzio.com>
Lachlan Hunt wrote:
> Ian Hickson wrote:
>> A DOS attack on the server could cause the transmitted text to be:
>>    ...
>>    <!--
>>      <script> hostileScript(): </script>
>> ...which, if we re-parse the content upon hitting EOF with an open
>> comment, would cause the script to be executed.
> I don't understand these security concerns.  How is reparsing it after
> reaching EOF any different from someone writing exactly the same script
> without opening a comment before it?  Won't the script be executed in
> exactly the same way in both cases?

We're assuming the web app is not going to allow anyone to write the
plain <script> tags--a clear XSS risk--and that if it did allow comments
it might not sanitize their contents, assuming them to be "safe".
Received on Sunday, 22 January 2006 19:21:04 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:58:44 UTC