W3C home > Mailing lists > Public > whatwg@whatwg.org > July 2009

[whatwg] Make quoted attributes a conformance criteria

From: Bil Corry <bil@corry.biz>
Date: Fri, 24 Jul 2009 17:26:23 -0500
Message-ID: <4A6A350F.6010604@corry.biz>
Keryx Web wrote on 7/24/2009 2:52 PM: 
> In that post I talked about a common scenario. One developer works on
> the business logic. It puts out attribute values. Another developer
> works on the presentation logic. He makes templates. Dev 2 omits the
> quotes and for a long time it might work, since the business logic in
> question only produces single word values. Then there might come a
> change, because dev 1 - or the users of the CMS - suddenly starts to
> produce longer values. Suddenly things break, and since nobody touched
> the presentation logic code, it might not be the first place where the
> developers look for an error.

That's a classic XSS vulnerability.  The backend developer must know if there are quotes or not in the template, then encode/sanitize the value accordingly.

- Bil
Received on Friday, 24 July 2009 15:26:23 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:14 UTC