- From: Jonas Sicking <jonas@sicking.cc>
- Date: Fri, 27 Apr 2007 03:51:37 -0700
Anne van Kesteren wrote: > On Thu, 26 Apr 2007 02:17:12 +0200, Jonas Sicking <jonas at sicking.cc> wrote: >> We do no longer support this in mozilla (if we ever did). A reason we >> now explicitly forbid this is we don't want it to ever be possible to >> create elements with 'illegal' names. Same thing goes for attribute >> names. This is partially for security reasons since some elements and >> attributes carry very important security information. > > Could you elaborate on the security issues? Could you also give a > definition of "illegal names" as it's not really clear to me what that > means for HTML. Basically, for <input< type=file value="/etc/passwd">, if part of the code thinks that that is an "input<" element, where as other parts thinks that is and "input" element, you might end up in a situation where the browser sends the /etc/passwd file to the server without user interaction. It also seems like a bad idea to allow a document to be parsed such as there is no way to serialize it without creating an invalid html5 serialization. As far as element names go, i don't really see a reason to allow more, or less, characters than the XML spec lets you use. / Jonas
Received on Friday, 27 April 2007 03:51:37 UTC