W3C home > Mailing lists > Public > whatwg@whatwg.org > August 2010

[whatwg] base64 entities

From: Anne van Kesteren <annevk@opera.com>
Date: Thu, 26 Aug 2010 23:59:47 +0200
Message-ID: <op.vh2fdu1264w2qv@anne-van-kesterens-macbook-pro.local>
On Thu, 26 Aug 2010 22:30:00 +0200, Julian Reschke <julian.reschke at gmx.de>  
> I now get the point about the additional problems in script, but I fail  
> to see how the proposal addresses this, unless expanding these entities  
> is suppose to happen *after* parsing the script.

If you have

   ele.innerHTML = '&%....;'

inside <script> it would be expanded the moment innerHTML is invoked  
(inside script entities are not expanded) and thus be safe from  
"</script>" injection and such. So yes, it happens after.

Anne van Kesteren
Received on Thursday, 26 August 2010 14:59:47 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:26 UTC