W3C home > Mailing lists > Public > whatwg@whatwg.org > April 2007

[whatwg] Parsing: < in unquoted attribute values

From: Jonas Sicking <jonas@sicking.cc>
Date: Fri, 27 Apr 2007 03:51:37 -0700
Message-ID: <4631D5B9.2090505@sicking.cc>
Anne van Kesteren wrote:
> On Thu, 26 Apr 2007 02:17:12 +0200, Jonas Sicking <jonas at sicking.cc> wrote:
>> We do no longer support this in mozilla (if we ever did). A reason we 
>> now explicitly forbid this is we don't want it to ever be possible to 
>> create elements with 'illegal' names. Same thing goes for attribute 
>> names. This is partially for security reasons since some elements and 
>> attributes carry very important security information.
> 
> Could you elaborate on the security issues? Could you also give a 
> definition of "illegal names" as it's not really clear to me what that 
> means for HTML.

Basically, for <input< type=file value="/etc/passwd">, if part of the 
code thinks that that is an "input<" element, where as other parts 
thinks that is and "input" element, you might end up in a situation 
where the browser sends the /etc/passwd file to the server without user 
interaction.

It also seems like a bad idea to allow a document to be parsed such as 
there is no way to serialize it without creating an invalid html5 
serialization.

As far as element names go, i don't really see a reason to allow more, 
or less, characters than the XML spec lets you use.

/ Jonas
Received on Friday, 27 April 2007 03:51:37 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:58:54 UTC