- From: Ian Hickson <ian@hixie.ch>
- Date: Mon, 23 Jan 2006 03:33:16 +0000 (UTC)
On Mon, 23 Jan 2006, Lachlan Hunt wrote:
>
> I don't understand these security concerns. How is reparsing it after
> reaching EOF any different from someone writing exactly the same script
> without opening a comment before it? Won't the script be executed in exactly
> the same way in both cases?
The difference is that a sanitiser script would notice a <script> element,
but would not notice the contents of a comment. Comments are considered
safe, the publisher would not expect the contents of a comment to suddenly
be invoked.
The comment could be, e.g.:
<!--
Let's hope nobody ever manages to sneak this into our site through a
cross-site scripting attack!:
<script> doSomethingEvil(); </script>
That would be terrible!
Oh well. There's no way they could aCONNECTION TERMINATED BY PEER
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Sunday, 22 January 2006 19:33:16 UTC