W3C home > Mailing lists > Public > whatwg@whatwg.org > July 2009

[whatwg] Make quoted attributes a conformance criteria

From: Bil Corry <bil@corry.biz>
Date: Fri, 24 Jul 2009 22:55:52 -0500
Message-ID: <4A6A8248.6010908@corry.biz>
Aryeh Gregor wrote on 7/24/2009 5:44 PM: 
> On Fri, Jul 24, 2009 at 6:26 PM, Bil Corry<bil at corry.biz> wrote:
>> That's a classic XSS vulnerability.  The backend developer must know if there are quotes or not in the template, then encode/sanitize the value accordingly.
> 
> It's not XSS if the values are statically provided by the first
> developer and aren't generated from user input.

Sure, but I was basing my reply on the provided example: "Then there might come a change, because dev 1 - or the users of the CMS - suddenly starts to produce longer values."

Even in the case where the developer is providing the values via a trusted source (say a database), it's still a best practice to encode/sanitize the value.

- Bil
Received on Friday, 24 July 2009 20:55:52 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:14 UTC