- From: Adam Barth <w3c@adambarth.com>
- Date: Thu, 26 Aug 2010 15:28:57 -0700
2010/8/26 Kornel Lesi?ski <kornel at geekhood.net>: > On Wed, 25 Aug 2010 22:52:42 +0100, Kornel Lesi?ski <kornel at geekhood.net> > wrote: >>> <script> >>> elmt.innerHTML = 'Hi there <?php echo htmlspecialchars($name) ?>.'; >>> </script> >> >> These cases can be secured without any new features in browsers (by >> escaping whitespace using numeric entities): > > I realized I was wrong about this one. It won't prevent script injection in > JS strings (in places where entities are decoded, including <script> in > XML), because entity will be changed to plain text before JavaScript is > tokenized. Indeed. This is not a feature for XML. XML won't decode the entity at all. In HTML, <script> doesn't decode entities, so the pattern is safe. Adam
Received on Thursday, 26 August 2010 15:28:57 UTC