W3C home > Mailing lists > Public > whatwg@whatwg.org > January 2006

[whatwg] comment parsing

From: Ian Hickson <ian@hixie.ch>
Date: Mon, 23 Jan 2006 03:33:16 +0000 (UTC)
Message-ID: <Pine.LNX.4.62.0601230330290.9516@dhalsim.dreamhost.com>
On Mon, 23 Jan 2006, Lachlan Hunt wrote:
> 
> I don't understand these security concerns.  How is reparsing it after
> reaching EOF any different from someone writing exactly the same script
> without opening a comment before it?  Won't the script be executed in exactly
> the same way in both cases?

The difference is that a sanitiser script would notice a <script> element, 
but would not notice the contents of a comment. Comments are considered 
safe, the publisher would not expect the contents of a comment to suddenly 
be invoked.

The comment could be, e.g.:

   <!--

     Let's hope nobody ever manages to sneak this into our site through a 
     cross-site scripting attack!:

        <script> doSomethingEvil(); </script>

     That would be terrible!

     Oh well. There's no way they could aCONNECTION TERMINATED BY PEER

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Sunday, 22 January 2006 19:33:16 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:08:25 UTC